After a summer of dismal reports about the United States' ability to protect its networks and manage investments in its IT infrastructure, the U.S. Senate Homeland Security and Governmental Affairs Committee Sept. 23 approved legislation intended to improve both.
The Federal Information Security Management Act of 2008 (S. 3474) targets the effectiveness of information security policies and procedures and increases the authority and capability of chief information security officers to monitor, detect and respond to security breaches.
FISMA, as the bill is widely known, also attempts to break down "artificial barriers" to compliance and increases collaboration between agencies by establishing a chief information security council under the direction of the National Cyber Security Center. In addition, the bill directs the Department of Homeland Security to conduct mock attacks against agency networks to discover vulnerabilities.
"It was extremely sobering to learn how often and how easily agency information networks can be compromised," Sen. Tom Carper, D-Del., said in a statement. "We are open to attack not only from countries like Russia and China, but to criminal syndicates and terrorists. It is frightening to learn that the most powerful government in the world has essentially been helpless until now in preventing these information technology attacks."
Carper, who sponsored the FISMA bill, also won approval for his IT Investment Oversight and Waste Prevention Act of 2008 (S.3384). According to a July report by the Government Accountability Office, government agencies are spending billions of dollars on IT investments that are redundant, lack clear goals and are managed by unqualified individuals.
Some of the projects have been delayed for more than a decade and are costing billions more than originally budgeted. Since 1994 Congress has required federal agencies to keep costs, delivery dates and performance goals of major IT acquisitions within 90 percent of the originally proposed plan. The OMB (Office of Management and Budget) is mandated to provide Congress with a yearly report on the progress of the agencies. The OMB has produced three reports in 14 years.
"IT investments contain an inherent risk that the system may cost more than expected or not perform the way it was planned," Carper said. "But I believe it is simply unacceptable that $21 billion dollars, or nearly a third of our IT budget, may be wasted this year because so many projects are poorly planned or managed."
Carper's bill would require quarterly reporting to CIOs on a project's cost, schedule and performance, and notifying Congress of any significant deviations. Agencies would also be required to provide Congress with information on each agency's most critical and high-risk projects with an independent cost estimate and reports on any changes to the original plan.
The legislation also calls for the OMB to assemble a team of IT professionals to work with agencies to improve troubled projects before they spiral out of control.
"Although agencies are responsible for the excessive rebaselining, there is one thing in common between all these investments. Every baseline and rebaseline was approved by the OMB," Carper said at a July hearing. "Someone, somewhere-in my view-is not fulfilling their responsibility to ensure that taxpayer money dollars are spent only on those investments that are well thought out and truly necessary."