Davis reinforces security rules

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2002/0304/web-gisra-03-07-02.asp

By Diane Frank 
March 7, 2002

Rep. Tom Davis (R-Va.) introduced a bill March 6 that would update and
extend the Government Information Security Reform Act, as members of
Congress expressed concern over current legislation.

Besides permanently reauthorizing GISRA, which is due to expire Nov.  
29, Davis' Federal Information Security Management Act (FISMA)  
requires agencies to follow security standards and tools developed by
the National Institute of Standards and Technology. Under current
legislation, those standards are simply recommendations.

"In general, FISMA streamlines GISRA's provisions and requires that
agencies utilize information security best practices that will ensure
the integrity, confidentiality and availability of federal information
systems," Davis testified before the House Government Reform
Committee's Government Efficiency, Financial Management and
Intergovernmental Relations Subcommittee.

Those best practices would include the security assessment
questionnaire developed by NIST last year. Many agencies are using
that tool already, and this month NIST will release the first
automated version of the questionnaire, according to Joan Hash,
manager of the NIST Computer Security Division's security management
and guidance group.

The bill also addresses one of the primary concerns of congressional
officials: reporting requirements.

GISRA's primary provision is the annual security assessments that
every agency chief information officer and inspector general must turn
in to the Office of Management and Budget. At the hearing, held by
subcommittee chairman Rep. Stephen Horn (R-Calif.), several officials
raised concerns about GISRA reporting requirements. Part of the reason
for the short sunset date on GISRA was to give Congress time to
examine the bill, which passed at the end of the session in 2000 with
very little discussion. A number of problems already have become
apparent, said Rep. Janice Schakowsky (D-Ill.), ranking member on the
subcommittee.

One main problem is the fact that GISRA does not require agencies to
provide Congress with their entire report, only a summary that goes
through OMB, she said. OMB released the first of these reports last
month. The fact that Congress sees only this summary means members did
not get to see any of the agencies' corrective action plans, leaving
them in the dark about the status of agencies' security, she said.

The General Accounting Office is reviewing the implementation of GISRA
for the subcommittee. GAO officials also are concerned about the lack
of access to full reports and action plans, because it limits
Congress' ability to oversee agencies' compliance and hampers
current-year budget deliberations, said Robert Dacey, director of
information security issues at GAO.

Davis' bill addresses this issue by requiring OMB to include in its
annual report to Congress not only the summary of findings and
deficiencies, but also "planned remedial actions to address such
deficiencies."
  
  


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.