Security

General discussion

Gravatar
0 Votes
Locked

A Senate Bill Impacting Federal CIOs

By cweinsch ·
Hello. My name is Carl Weinschenk. I am a contributing writer to the CIO Community. Recently, Senator John Edwards (D-South Carolina) introduced a bill that would require CIOs of Federal agencies to test quarterly for cyber security under guidelinesthat would be developed by the National Institute of Standards and Technology (NIST). CIOs would have to issue an annual report to the Office of Management and Budget (OMB). The text of the bill is available at http://www.congress.gov/cgi-lis/query/z?c108:S.187. (Fill in S.187 for the bill number, or use chief information officer as the search term. It is the Edwards Bill that was introduced on Jan. 16.)

I?d like reactions to this bill. Could this work? Is there a need for it? Is it workable? Are the goals admirable but the approach errant? Is there enough information in the Bill to answer these questions? Is this political?Edwards is running for president? What other comments do you have on this?

Thanks.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

2 Cents

by timwalsh In reply to A Senate Bill Impacting F ...

That's how much this bill is worth.

This is yet another attempt to solve technical problems through toothless legislation.

Part of every CIOs job description should be to identify the agencies vulnerabilities and to fix them.

All this bill does is create yet another report with no means to verify the findings, and no means to determine whether vulnerabilites are being fixed.

While the goal IS admirable, the approach is errent in that a report never solves anything.

Those agenciesthat have a vested interest in keeping their systems secure (DoD, DOJ, FAA, CIA, Department of State, etc.) already do so, and continually reassess their vulnerabilities. All this bill does for them is create another paperwork exercise that eats upresources (time, money, people) that could be better expended elsewhere.

The agencies that have proven and reoccurring vulnerabilities aren't going to have their problems fixed by having to prepare another report. If they have known vulnerabilities that haven't been fixed yet, (in my mind) it's because either the Agency leadership is clueless, or they don't care (or both). A report won't fix that. Unless there is a separate agency with the power to audit all government information systmes, there is no way to determine compliance.

Is this politically motivated? You're kidding, right?

gravatar
Collapse -

Everything Old is New Again

by Oldefar In reply to A Senate Bill Impacting F ...

During the Cold War the threat came from communications systems. In the USAF there was a major command known as Security Service that monitored our own communications for security breaches as one of their responsibilities. Security Service was changed to Electronic Security Command in the late 70's. The move to a Joint Intelligence Agency that combined roles across the service branches followed, and I assume the monitoring responsibility was continued across all the services.

Seperation of military activities from other government agencies was the norm. Under the Homeland Security Act, this has changed. It seems to me that there is likely an external auditing capability in place that can now be applied to other government agencies without the need for new legislation.

The same applies for standards. Our military services historically have very well defined standards, known as technical orders in the Air Force. GSA should be able to borrow from these for use across other government offices.

Back to Security Forum

Start or search

Related Discussions

Related Forums