New FISMA Bill Gets Committee OK
William Jackson writes on GCN.com:
The Senate Homeland Security and Government Affairs Committee yesterday approved a Senate bill that would update the Federal Information Security Management Act.More here.
S. 3474 [.pdf], The FISMA Act of 2008, was introduced Sept. 11 by Sen. Tom Carper (D-Del.) to address concerns that FISMA compliance had become a paperwork drill without ensuring improved IT security. The bill would require annual security audits by agencies and would give chief information security officers broader authority to enforce FISMA requirements.
FISMA is the primary law governing federal IT security, requiring risk-based security controls for non-national-security information systems and the certification and accreditation of systems. Carper’s bill would focus on ensuring that controls provide adequate security, replacing current FISMA evaluations with formal annual audits and requiring the appointment of chief information security officers in each civilian agency with authority to enforce FISMA compliance. The bill also would establish a CISO Council directed by the National Cyber Security Center and require the Homeland Security Department to conduct regular red team penetration tests against networks.
Adequate IT security also would be required on all contractor networks, and the Office of Management and Budget would establish contract language on IT security reflecting these requirements.