informa
Commentary

Senate Committee Approves Updated FISMA Bill

The Senate Homeland Security and Government Affairs Committee just approved S.3474, which will update the Federal Information Security Management Act (FISMA), in the hope of lifting federal security efforts beyond what many have deemed a paperwork shuffle that does little to boost security.
The Senate Homeland Security and Government Affairs Committee just approved S.3474, which will update the Federal Information Security Management Act (FISMA), in the hope of lifting federal security efforts beyond what many have deemed a paperwork shuffle that does little to boost security.The Federal Information Security Management Act of 2008 could be the biggest overhaul to the act, which aims to strengthen federal security, since its 2002 inception.

Here are some highlights I gleaned from the bill:

Audits: The current round of "evaluations" will be replaced by more, presumably, stringent audits.

CISOs: Each federal agency will need to designate a Chief Information Security Officer who will report directly to the Chief Information Officer. These CISOs will, according to the bill in its current form, not only be charged with providing security, but have the authority to do so. From the bill:


The Chief Information Security Officer of an agency shall be responsible for and have the authority to assure that any information system connected to the network (directly or indirectly) that does not comply with security policies and standards, or has been compromised, is denied access and use of the agency network until the information system meets or exceeds accepted security policies and standards.

Establish a CISO Council: The council members will exchange their real-world experiences and work together to promote the development and use of standard performance measures for the agencies.

Costing: The bill also requires agencies to develop cost estimates and bi-annual implementation progress reports to Congress,

Because the bill must now pass the Senate, there's little sense in discussing the minutia until it's passed in its final form. So far, adding accountability, designating CISOs, and giving them a reasonable amount of authority looks like a good step forward to me.

Recommended Reading: