http://www.govexec.com/story_page.cfm?articleid=37243
By Daniel Pulliam
govexec.com
June 19, 2007
The federal law governing information security policies at agencies
could come under scrutiny during a House subcommittee hearing Wednesday
that will focus on cybersecurity incidents at the Homeland Security
Department.
The House Homeland Security Subcommittee on Emerging Threats,
Cybersecurity and Science and Technology is scheduled to hear testimony
from DHS Chief Information Officer Scott Charbo and the Government
Accountability Office. While the hearing will focus on DHS, industry and
congressional sources have indicated that a broader discussion of the
2002 Federal Information Security Management Act is likely to arise.
Despite its status as the nation's security agency, DHS has not been a
model of computer security law compliance. In April, the department
received a D grade [1] on an annual congressional report card measuring
how well agencies follow FISMA. The department flunked the previous
year.
In a statement Tuesday, Rep. Bennie Thompson, D-Miss., chairman of the
Homeland Security Committee, said Congress has "to turn FISMA away from
a paper exercise." He said that optimal security policies would require
agencies to monitor networks, test penetration, complete forensic
analyses and mitigate vulnerabilities.
"Though FISMA brought much needed attention to federal information
security, agencies can still receive high grades for compliance and be
insecure," Thompson said. "Implementing those efforts will mean better
security on our networks, and that's the next step the federal
government needs to take."
Thompson is expected to attend the hearing and give an opening
statement.
In April, Donald Reid, senior coordinator for security infrastructure at
the State Department's Bureau of Diplomatic Security, told the
subcommittee [2] that FISMA does not "tell the whole story" when it
comes to agencies' information security practices.
"Our ability to detect and respond to intrusions . . . nowhere is that
measured in FISMA," Reid said. "It's a great baseline log, but we
clearly have more work to do."
Another criticism of FISMA is that compliance is measured based on
reports produced by agencies, rather than independent auditors. Such a
setup does little to hold agencies accountable for instituting proper
security, according to critics.
Rep. Tom Davis, R-Va., who issues the annual report card on FISMA
compliance and serves on the Homeland Security Committee, said in a
statement that he expects Wednesday's hearing to involve "the usual
suspects with complaints: failing agencies, those who misunderstand what
the act was designed to do and those who fail to recognize what it has
accomplished" in making IT security a priority at federal agencies.
"Certainly, we want to avoid a 'check the box' mentality," Davis said.
"We need to incentivize strong information protection policies and
pursue a goal of security rather than compliance. The FISMA process is a
good one, but we'll always ask if we can make it better."
Davis said additional work is needed in developing effective security
plans and establishing milestones to measure implementation progress.
"More improvement is needed in how systems are configured from a
security standpoint and for training for employees with significant
information security responsibilities," Davis said. "We continue to meet
with public and private stakeholders searching for other ideas for what
might be most effective."
Wednesday's hearing is expected to focus on questions stemming from
specific incidents on DHS networks such as hacking, classified leaks,
unauthorized use by contractors and computer viruses.
GAO has been asked to describe findings on an unnamed DHS network that
is "riddled with significant information security control weaknesses
that place sensitive and personally identifiable information at
increased risk of unauthorized disclosure," according to a hearing
briefing document [3].
The department's efforts to consolidate its computer networks under one
roof also are likely to enter into the discussion, as are questions
about "the lack of IT security funding" at DHS, the document indicates.
The committee sent Charbo letters on April 30 and May 31 that indicate
the panel already has taken up its own investigation of the department's
IT security, asking more than 25 questions over the course of two months
about the status of the department's network security.
[1] http://govexec.com/dailyfed/0407/041207p1.htm
[2] http://govexec.com/dailyfed/0407/042007p1.htm
[3] http://www.govexec.com/pdfs/Onepageron620hearing.doc
Received on Wed Jun 20 00:11:07 2007