New legislation targets the effectiveness of federal information security policies and procedures and wasteful spending on IT infrastructure projects. The bills would increase the authority and capability of government chief information security officers to monitor, detect and respond to security breaches. Under the proposed bills, a chief information security council would be established under the direction of the National Cyber Security Center.
After a summer of dismal reports about the United
States' ability to protect its networks
and manage investments in its IT
infrastructure, the U.S. Senate Homeland Security and Governmental Affairs
Committee Sept. 23 approved legislation intended to improve both.
The Federal Information Security Management Act of 2008 (S. 3474) targets
the effectiveness of information security policies and procedures and increases
the authority and capability of chief information security officers to monitor,
detect and respond to security breaches.
FISMA, as the bill is widely known, also attempts to break down "artificial
barriers" to compliance and increases collaboration between agencies by
establishing a chief information security council under the direction of the National
Cyber Security Center.
In addition, the bill directs the Department of Homeland Security to conduct mock
attacks against agency networks to discover vulnerabilities.
"It was extremely sobering to learn how often and how easily agency
information networks can be compromised," Sen. Tom Carper, D-Del., said in
a statement. "We are open to attack not only from countries like Russia
and China, but
to criminal syndicates and terrorists. It is frightening to learn that the most
powerful government in the world has essentially been helpless until now in
preventing these information technology attacks."
Carper, who sponsored the FISMA bill, also won approval for his IT
Investment Oversight and Waste Prevention Act of 2008 (S.3384). According to a
July report by the Government Accountability Office, government
agencies are spending billions of dollars on IT investments that are redundant,
lack clear goals and are managed by unqualified individuals.
Some of the projects have been delayed for more than a decade and are
costing billions more than originally budgeted. Since 1994 Congress has
required federal agencies to keep costs, delivery dates and performance goals
of major IT acquisitions within 90 percent of the originally proposed plan. The
OMB (Office of Management and Budget) is mandated to provide Congress with a
yearly report on the progress of the agencies. The OMB has produced three
reports in 14 years.
"IT investments contain an inherent risk that the system may cost more
than expected or not perform the way it was planned," Carper said. "But
I believe it is simply unacceptable that $21 billion dollars, or nearly a third
of our IT budget, may be wasted this year because so many projects are poorly
planned or managed."
Carper's bill would require quarterly reporting to CIOs on a project's cost,
schedule and performance, and notifying Congress of any significant deviations.
Agencies would also be required to provide Congress with information on each
agency's most critical and high-risk projects with an independent cost estimate
and reports on any changes to the original plan.
The legislation also calls for the OMB to assemble a team of IT
professionals to work with agencies to improve troubled projects before they
spiral out of control.
"Although agencies are responsible for the
excessive rebaselining, there is one thing in common between all these
investments. Every baseline and rebaseline was approved by the OMB,"
Carper said at a July hearing. "Someone, somewhere-in my view-is not
fulfilling their responsibility to ensure that taxpayer money dollars are spent
only on those investments that are well thought out and truly necessary."