Revision of IT security rules could cost feds $600M over four years

[dhilipkumar]

        A proposed bill aimed at strengthening the provisions of the Federal Information Security Management Act would require the U.S. government to spend an additional $610 million on FISMA implementation costs over the next four years if it is passed, according to an estimate by the Congressional Budget Office.

The CBO said in a cost estimate released on Tuesday (download PDF) that the bill could also affect spending on security by agencies, such as the U.S. Postal Service, that don't receive annual funding for compliance with the act. But any increase in costs at those agencies is likely to be relatively small and could be offset by increasing the fees they charge for their services, the CBO added.

FISMA was approved by Congress and signed into law in 2002, in the aftermath of the 9/11 terrorist attacks, with a goal of improving data security within the federal government. The law mandates a series of security measures that agencies have to comply with and be evaluated against on an annual basis. For instance, FISMA requires agencies to adopt standard system configurations, create security training programs and develop processes for testing their security controls and contingency plans.

Over the past few years, the annual FISMA reports issued by each agency's inspector general have been widely used as an indicator of the security preparedness at individual agencies and within the government as a whole. Rep. Tom Davis (R-Va.), who authored FISMA, uses the reports to prepare an IT security report card each year. Many agencies, including the departments of Defense, State and Homeland Security, have typically fared poorly on the report cards, getting "D" or even "F" grades.

FISMA's mandates have focused much-needed attention on the security of federal systems and IT infrastructures. Even so, over the past few years, there has been a growing concern that many agencies have begun treating the FISMA process as little more than a paperwork exercise, resulting in little in the way of actual security improvements.

The big problem, according to critics of the process, is that FISMA merely requires agencies to attest to the measures they have implemented for protecting their data and systems without actually requiring them to prove anything. The requirements have also been criticized for not being holistic enough and for being too focused on process issues, while not covering technology issues.

The so-called FISMA Act of 2008, which was introduced in the Senate on Sept. 11 and is officially known as S. 3474 (download PDF), is designed to address some of those concerns. For instance, the bill would require all agencies to create a chief information security officer's position with specific duties and authority. It also calls for the creation of a CISO council that would set security guidelines and best practices.