The Federal Information Security Management Act, introduced by Rep. Tom Davis, R-Va., would extend the Government Information Security Reform Act of 2000, which is set to expire in November. That law required government agencies to make annual security assessments and tests of nonclassified information systems.
The law requires agencies to grade themselves; most have done poorly so far. According to Davis, 16 of the 24 agencies evaluated in 2001 received a failing grade, and only one agency got better than a C+.
The new bill would also attempt to beef up network security. The bill, HR 3844, would require federal agencies to adopt minimum security standards established by the National Institute of Standards and Technology. Under the Computer Security Act of 1987, agencies could get a waiver from adhering to the standards.
"Information security cannot go the way of any other 'issue du jour,'" Davis said at a hearing before the Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations on Wednesday. "It is a constant management requirement that requires eternal vigilance, and the ranking of its importance to federal operations cannot fluctuate from one administration to the next."