FISMA, IT project management bills advance

By Jason Miller
Executive Editor
FederalNewsRadio

The Bush Administration does not support several provisions in the new Federal Information Security Management Act that the Senate Homeland Security and Governmental Affairs Committee approved Wednesday.

In a letter to committee chairman Joseph Lieberman (I-Conn.) and ranking member Susan Collins (R-Maine), Karen Evans, OMB’s administrator for e-government and information technology, lays out seven major concerns about the legislation.

“I’m concerned that this legislation, as presently drafted, would have unintended consequences and create barriers to the progress already underway,” Evans says in the letter obtained by FederalNewsRadio.

But Sen. Tom Carper (D-Del.), the bill’s sponsor, says the legislation addresses the changing threat agencies are facing.

“This letter highlights the administration’s concerns with the FISMA bill in its current form,” Carper says. “However, we have worked successfully with OMB in the past and look forward to addressing their concerns on the bill as we move it forward.”

The administration, which has not threatened to veto the bill, has a powerful allay on at least one provision.

Sen. Tom Coburn (R-Okla.), known as “Senator No” for his willingness to stop what he sees as wasteful spending, is not happy with the language calling for a chief information security officers (CISO) council.

Coburn says the council would create another layer of oversight that is not needed.

“I agree with most things in the bill,” says Coburn Wednesday at the committee markup. “We have an IT council and we need to hold them accountable. The council should report to us on what they are doing to improve cybersecurity across their agencies.”

Coburn offered an amendment to strike the provision calling for the CISO council.

The committee did not approve the amendment.

A Coburn spokesman says the senator has no plans to place a hold on the bill.

Carper says he is willing to compromise on the council provision.

“Maybe we could do it for 2 or 3 year test drive,” Carper says. “The council has received some of the best reviews from other experts. We have to keep in mind the job of a CIO is different from the job of CISO.”

The FISMA bill also would:

• Standardize inspector generals information security audits;
• Give the Homeland Security Department the authority to conduct cyber exercises on agency networks, and report on how well they stood up;
• Give agency IT security officials the authority to sign off on systems as secure;
• Give Congress the ability to measure agencies’ IT security plans and procedures.

OMB also is concerned about other provisions in the bill as well.

Evans says the IT security staff should not sign off on systems because that authority should remain with the business owner of the system as they must decide how much risk is acceptable.

Evans also says the administration is not happy with the IG audit requirement. She says it would increase the workload and not have the intended affect the Congress was looking for.

OMB is more supportive of Carper’s other bill on IT project management.

The bill calls for several new reporting requirements on IT projects, including when they go off their cost, schedule and performance goals.

“OMB has a unique perspective,” Evans says in an e-mailed statement. “We review hundreds of investments and projects every year, so we can see patterns across the government. We recognize common mistakes, know what fixes may work and definitely which ones don’t.”

Carper’s legislation would require OMB to develop an IT strike force to work on projects that are in trouble. The strike force would include both vendors and agency personnel.

The bill also gives the agency CIO budget authority over programs that are not meeting cost, schedule and performance goals.

“With the IT strike force provision, Congress leverages OMB’s management oversight skills to do a rapid assessment and make course corrections before program failure,” Evans says. “This provision attempts to provide a solution to assist agencies for program success. The IT strike force provision is a bold transformational change in government management.”

The committee also considered a bill dealing with the new controlled unclassified information standard and one promoting the use of open source information at the Homeland Security Department.

The controlled unclassified information legislation requires policies and procedures for marking, safeguarding and disseminating CUI, and establishes a CUI office in the National Archives and Records Administration.

The Homeland Security Open Source Information Enhancement Act of 2008 would require DHS to ensure open source information is gathered in accordance with all current laws. The bill would require the DHS chief privacy officer to include types of personal information collected by the department to be included in the office’s annual report.

The legislation also would require DHS to use open source information and share it with appropriate public and private sector entities.

The House passed the open source bill in July.

—–
On the Web:

FederalNewsRadio – Fed IT: What’s wrong with this picture?

Government Printing Office – Homeland Security Open Source Information Enhancement Act (pdf)

Government Printing Office – Federal Information Security Management Act of 2008 (pdf)

Government Printing Office – Information Technology Investment Oversight Enhancement and Waste Prevention Act of 2008 (pdf)

(Copyright 2008 by FederalNewsRadio.com. All Rights Reserved.)

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.