The Federal Information Security Management Act, introduced by Rep. Tom Davis, R-Va., would extend the Government Information Security Reform Act of 2000, which is set to expire in November. That law required government agencies to make annual security assessments and tests of nonclassified information systems.
The law requires agencies to grade themselves; most have done poorly so far. According to Davis, 16 of the 24 agencies evaluated in 2001 received a failing grade, and only one agency got better than a C+.
The new bill would also attempt to beef up network security. The bill, HR 3844, would require federal agencies to adopt minimum security standards established by the National Institute of Standards and Technology. Under the Computer Security Act of 1987, agencies could get a waiver from adhering to the standards. --Margaret Kane, Special to ZDNet News