New ICE bill would overhaul federal cybersecurity

A bill set to be introduced in the Senate on Tuesday would make wholesale changes to the way that the federal government handles information security, including the establishment of a Nation Officer for Cyberspace, which would sit right below the president. According to a story on SearchCompliance.com, the bill, known as the Information and Communications Enhancement Act, also contemplates an overhaul of the controversial FISMA legislation.

A bill set to be introduced in the Senate on Tuesday would make wholesale changes to the way that the federal government handles information security, including the establishment of a Nation Officer for Cyberspace, which would sit right below the president. According to a story on SearchCompliance.com, the bill, known as the Information and Communications Enhancement Act, also contemplates an overhaul of the controversial FISMA legislation.

The Federals Information Security Management Act (FISMA) was passed in 2002 and has come under heavy criticism ever since for its reliance on handing out grades for agencies’ compliance with a checklist of security items. Many in the industry and government have said for years that FISMA has created a checkbox mentality that encourages security staffs to simply address the act’s requirements without actually doing anything to improve security.

As SearchCompliance.com’s Alex Howard reports:

Compliance with FISMA would also be changed, directly correlating it with security tools to measure progress, said Alan Paller, director of research at The SANS Institute, a Bethesda, Md.-based nonprofit cybersecurity research group. Instead of offering high grades for compliance under a FISMA checklist, gap analysis and vulnerability assessments would be used to measure the effectiveness of agency cybersecurity preparation.

“FISMA measured the wrong things,” Paller said in a panel session last week at RSA. “FISMA needs a fundamental change to enable prioritization of resources so that costs can be controlled and Web application security can go from ‘missing’ to ‘covered.'” The new FISMA requirements call for government agencies and DoD contractors to comply with a set of prioritized controls that reflect their ability to detect and stop cyberattacks. The Rockefeller-Snowe cybersecurity bill introduced recently contains far-reaching requirements that would cover security infrastructure.

The ICE bill, which will be introduced by Sen. Thomas Carper of Delaware, looks like a good start in the process of changing the counterproductive compliance culture that has grown up in Washington in the last decade. But the reality is that it’s a long road from the introduction of a bill to the president signing it into law. If the ICE bill makes it that far, it almost certainly will have undergone major changes. Let’s just hope that the main provisions are intact.

There is a hearing on Tuesday morning on this topic in the Senate Committee on Homeland Security and Government Affairs. You can see the webcast here.

*Composite image via zimpenfish‘s Flickr photostream.

Suggested articles