|
|
05-08-2009
Registered User
26,240,
27
Is U.S. ICE the New FISMA?
The United States Information and Communications Enhancement Act of 2009 (U.S. ICE Act of 2009) was introduced to the Senate on April 28, 2009. This bill, if successfully passed, would overhaul the provisions currently in FISMA and seek to strengthen information security in the federal government.
Link to full text: http://www.govtrack.us/congress/billtext.xpd?bill=s111-921
As quoted by Sen. Tom Carper (D.-Del):
“Instead of agencies wasting precious resources producing security plans that are outdated as soon they are printed, my bill requires agencies to continuously monitor their networks for cyber intrusions and malicious activities, take steps to address their vulnerabilities, and then regularly test whether the steps they are taking to secure their networks are effective.”
Although the bill as written would be improve upon the current FISMA Act of 2002, the bill should be evaluated carefully by the assigned Committee, to address how the new requirements can be integrated into the federal government effectively, which has been trying to building processes to meet and measure compliance under FISMA.
Additionally, the bill introduced necessary steps that should be taken to adjust the focus of security from compliance as a “paper exercise” to compliance as a “security exercise”. By adding scope for the wider adoption of standardized security configurations, the government would expand upon the Federal Desktop Core Configuration (FDCC) to require commercial-off-the-shelf (COTS) products and services to be standardized, including using products and services with secure baseline configurations consist with standards and guidelines developed by NIST. This raises the importance of the Security Content Automation Protocol (http://scap.nist.gov/index.html), which has slowing been taking shape, and hopefully would enable agencies to more effectively assess their security configuration on a regular basis. This would also enable federal agencies to improve their compliance to known security baselines, currently only possible with FDCC.
Another important function of the US ICE that should not be overlooked, is the restructuring of the leadership within the federal government to raise the level of importance of IT security to the White House (National Office of Cyberspace). The Office of Management and Budget (OMB), E-gov Administrator (previously Karen Evans) has been the face of FISMA since its inception. However, as noted in the bill, “the information infrastructure of the United States is a strategic national resource vital to our democracy, economy, and security.” Any American would probably agree that the Internet is a critical and key resource. But beyond, the basis of connecting people and enable national and international communications, the infrastructure supporting the Internet expands beyond a web browser and the web servers. The interconnection of our infrastructure supports the facet of every American's life, from healthcare to the stock market. Our reliance on the information infrastructure should require the federal government to ensure this infrastructure is managed at the highest levels within the government. The current organizational leadership does not have the authority to make the necessary changes within many agencies, which should be changed to ensure Chief Information Security Officers (CISOs), whether at the department level, or within an individual government program are given the ability to effectively execute their roles to ensure the information and information system are protected (commensurate with the risk).
I look forward to following this new legislation, and the roadmap that will follow. Ideally, the work being done under the current FISMA should be reused and any processes that would be added or changed should be phased into the current security landscape carefully to ensure those that must implement ICE (i.e., IT Security Officers, Security Managers, Business Unit Executives and Managers, etc.) within their organization fully understand the changes and how to applying them.
More...
Link to full text: http://www.govtrack.us/congress/billtext.xpd?bill=s111-921
As quoted by Sen. Tom Carper (D.-Del):
“Instead of agencies wasting precious resources producing security plans that are outdated as soon they are printed, my bill requires agencies to continuously monitor their networks for cyber intrusions and malicious activities, take steps to address their vulnerabilities, and then regularly test whether the steps they are taking to secure their networks are effective.”
Although the bill as written would be improve upon the current FISMA Act of 2002, the bill should be evaluated carefully by the assigned Committee, to address how the new requirements can be integrated into the federal government effectively, which has been trying to building processes to meet and measure compliance under FISMA.
Additionally, the bill introduced necessary steps that should be taken to adjust the focus of security from compliance as a “paper exercise” to compliance as a “security exercise”. By adding scope for the wider adoption of standardized security configurations, the government would expand upon the Federal Desktop Core Configuration (FDCC) to require commercial-off-the-shelf (COTS) products and services to be standardized, including using products and services with secure baseline configurations consist with standards and guidelines developed by NIST. This raises the importance of the Security Content Automation Protocol (http://scap.nist.gov/index.html), which has slowing been taking shape, and hopefully would enable agencies to more effectively assess their security configuration on a regular basis. This would also enable federal agencies to improve their compliance to known security baselines, currently only possible with FDCC.
Another important function of the US ICE that should not be overlooked, is the restructuring of the leadership within the federal government to raise the level of importance of IT security to the White House (National Office of Cyberspace). The Office of Management and Budget (OMB), E-gov Administrator (previously Karen Evans) has been the face of FISMA since its inception. However, as noted in the bill, “the information infrastructure of the United States is a strategic national resource vital to our democracy, economy, and security.” Any American would probably agree that the Internet is a critical and key resource. But beyond, the basis of connecting people and enable national and international communications, the infrastructure supporting the Internet expands beyond a web browser and the web servers. The interconnection of our infrastructure supports the facet of every American's life, from healthcare to the stock market. Our reliance on the information infrastructure should require the federal government to ensure this infrastructure is managed at the highest levels within the government. The current organizational leadership does not have the authority to make the necessary changes within many agencies, which should be changed to ensure Chief Information Security Officers (CISOs), whether at the department level, or within an individual government program are given the ability to effectively execute their roles to ensure the information and information system are protected (commensurate with the risk).
I look forward to following this new legislation, and the roadmap that will follow. Ideally, the work being done under the current FISMA should be reused and any processes that would be added or changed should be phased into the current security landscape carefully to ensure those that must implement ICE (i.e., IT Security Officers, Security Managers, Business Unit Executives and Managers, etc.) within their organization fully understand the changes and how to applying them.
More...