Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Saturday, April 20, 2013

FISMA Reform Passes House on 416-0 Vote

By a vote of 416 to 0, the House passed on April 16 the Federal Information Security Amendments Act of 2013, which updates the Federal Information Security Management Act of 2002. The Federal Information Security Amendments Act, H.R. 1163, would require federal agencies to continuously monitor their IT systems for cyberthreats and implement regular threat assessments. “This bipartisan legislation will address the shortcomings of FISMA by incorporating recent technological innovations, and enhance and strengthen the current framework that protects federal information technology systems,” said the bill’s chief sponsor, Rep. Although most federal agencies have chief information security officers to coordinate IT security activities, the new FISMA legislation would require them to have CISOs to develop, implement and oversee agencywide IT security programs.


The bill addresses a perceived shortcoming of FISMA, which promoted a checkbox mindset in the federal government, where grading agencies on the security items they can check off a list to impress auditors seemed more important than monitoring systems continuously to determine if they’re secure.

Absent from the Federal Information Security Amendments Act are provisions that would grant the Department of Homeland Security increased authority to oversee federal civilian agencies in the implementation of information security. The Obama administration, backed mostly by Senate Democrats, has ceded some of the Office of Management and Budget oversight of government IT security to DHS, and the Cybersecurity Act of 2012 would have codified that. Distrust exists among some lawmakers about giving that kind of authority to DHS, and contention last year over Homeland Security’s role in governing IT among civilian agencies is one (but not the only) reason the Cybersecurity Act never came up for a vote.

Under the Cybersecurity Enhancement Act, approved 402-16, the National Science Foundation, National Institute of Standards and Technology and other key federal agencies would develop and implement a strategic plan for federal cybersecurity research and development. NIST would be required to have a specific focus on the security of the industrial control systems that run critical infrastructure, such as the power grid, and identity management systems that protect private information.



Posted on 04/20