Bill Would Extend Federal Information Security Tests

Federal information technology continues to be woefully unprotected from malicious attacks and benign interruptions, Rep. Tom Davis, chairman of the House Subcommittee on Technology and Procurement Policy, said Wednesday.

"It's clear that the state of federal information security suffers from a lack of coordinated, uniform management," the Virginia Republican told the House Subcommittee on Government Efficiency, Financial Management, and Intergovernmental Relations.

Davis on Wednesday introduced the Federal Information Security Management Act to permanently reauthorize a law that's set to expire later this year to force federal agencies to take steps to assure the security of their IT systems. The new legislation strengthens the role played by the National Institute of Standards and Technology in developing and maintaining standards for minimum information-security controls. It compels federal agencies to identify risks associated with their systems and implement appropriate protections. To put teeth into the NIST-developed standards, the bill requires the Office of Management and Budget to make the standards compulsory, so agencies cannot waive the standards as existing law allows.

The General Accounting Office, the investigative arm of Congress, continues to find persistent flaws in federal IT management, with 24 agencies evaluated last year each receiving a failing grade, and only one agency obtaining a grade higher than a C+. "While these grades are disappointing," Davis said, "they reflect the difficulty of implementing effective security management without sufficient commitment and guidance from an accountable entity within each agency, and for the federal government as a whole."