Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Sunday, March 31, 2013

7 Duties for CISOs under FISMA Reform

A House panel approved and sent to the entire House of Representatives legislation to reform the Federal Information Security Management Act, the 11-year-old law that governs IT security in the federal government. The bipartisan Federal Information Security Amendments Act of 2013 unanimously passed the House Oversight and Government Reform Committee by a voice vote on March 20. The legislation, if enacted, would usurp the current FISMA law that heavily relies on a check-list approach to IT security that many people in government contend doesn’t truly show how secure agencies’ IT systems are. An agency’s chief information officer could serve simultaneously as CISO; however, the bill would require that information security be the CISO’s main focus.

  1. Overseeing the establishment and maintenance of a security operation that through automated and continuous monitoring can detect, contain and mitigate incidents that impair information security and agency information systems;
  3. Developing, maintaining and overseeing an agencywide information security program;
  5. Developing, maintaining and overseeing information security policies, procedures and control techniques to address all applicable requirements;
  7. Training and overseeing personnel with significant responsibilities for information security;
  9. Assisting senior agency officials on cybersecurity matters;
  11. Ensuring the agency has a sufficient number of trained and security-cleared personnel to assist in complying with federal cybersecurity law and procedures;
  13. Reporting at least annually to agency executives the effectiveness of the agency information security program; information derived from automated and continuous monitoring, including threat assessments; and progress on actions to remediate threats.

If enacted, the bill would create a federal information security incident center to provide timely technical assistance to operators of agency information systems regarding security incidents; compile and analyze information about incidents that threaten information security; inform operators of agency information systems about current and potential information security threats and vulnerabilities; and consult with the National Institute of Standards and Technology, agencies or offices operating or exercising control of national security systems regarding information security incidents and related matters.

The legislation also would give the director of the White House Office of Management and Budget the authority to oversee the development and implementation of policies, principles, standards and guidelines on information security as well as oversee the operations of a federal information security incident center.

Tom Carper, the Delaware Democrat who chairs the Senate Homeland Security and Governmental Affairs Committee, has promised that his panel will draft a FISMA reform measure, but it is unclear whether it would be in the form of a standalone bill or part of a more comprehensive cybersecurity legislative package.



Posted on 03/31