The Federal Information Security Management Act of 2008, or FISMA, comes as response to the need to reduce federal information security vulnerabilities as revealed in recent hearings called by Sen. Carper as chairman of the Subcommittee on Federal Financial Management, Government Information, Federal Services and International Security.
Under Sen. Carper’s leadership, his Senate oversight hearings have examined how well agencies have reduced information security risks only to find countless examples of foreign and domestic cyber attacks on U.S. information networks.
“It is intolerable that every day, private and sensitive government information and other data about Americans is compromised, stolen or improperly protected,” said Sen. Carper. “Our security management legislation will hold federal agencies accountable for their ability to monitor, detect and respond to cyber security incidents.”
Homeland Security and Government Affair Committee Chairman Sen. Joe Lieberman (ID-Conn.), an original cosponsor of the bill, said, “The federal government needs to be more vigilant against the theft, misuse, and abuse of information in its possession. Over the past several years we have seen time and time again how vulnerable our systems are, making protection of government data a central concern for the 21st century. This bill builds on the original FISMA legislation in my E-Government bill of 2002, and will help provide agencies with the tools they need to protect their assets.”
In March of this year, Sen. Carper’s hearing uncovered that many agencies had turned the original intent of FISMA largely into a compliance and paperwork exercise. Instead of measuring whether agencies were securing their systems, the Offices of Management and Budget and Inspector General were measuring whether agenices produced the right documents.
“Measuring an agency’s compliance does not stop the countless examples of data loss due to negligence or willful intent,” Sen. Carper stressed. “Missing or stolen data could potentially cause harm to many individuals, companies or the federal government if information fell into the wrong hands.”
To improve information security, Sen. Carper’s FISMA amendment will 1) standardize Inspector Generals’ information security audits; 2) create a Chief Information Security Officer Council to establish information security best practices and guidelines, while strengthening the role of Chief Information Security Officers; 3) allow the Department of Homeland Security to conduct “red team” penetration tests against civilian agencies; and 4) allow Congress to measure the effectiveness of agencies’ information security plans and procedures.
In addition, the Carper bill mandates that the Department of Homeland Security provide annual reports to the Congress on the government’s ability to safe-guard sensitive information.