Davis introduces info security management act

Find opportunities — and win them.

Rep. Tom Davis presented a bill that would permanently reauthorize the Government Information Security Reform Act of 2000.

Rep. Tom Davis, R-Va., introduced March 6 the Federal Information Security Management Act, a bill that would permanently reauthorize the Government Information Security Reform Act of 2000.

It also would so implement additional measures designed to enable the federal government to better protect America's information highways, Davis said. Rep. Stephen Horn, R-Calif., co-sponsored the bill.

GISRA requires every federal agency to develop and implement security policies that include risk assessment, risk-based policies, security awareness training and periodic reviews. It expires Nov. 29.

The legislation seeks to strengthen the information security management infrastructure of the federal government by streamlining GISRA's provisions and requiring that agencies use information security best practices that will ensure the integrity, confidentiality and availability of federal information systems, Davis said.

It also seeks to strengthen the role of the National Institute of Standards and Technology in developing and maintaining standards and guidelines for minimum information security controls.

Agencies would be required to identify the risk levels associated with their systems and implement appropriate protections. Davis' new bill requires the Office of Management and Budget to make NIST's standards compulsory, eliminating the ability to waive the standards under the Computer Security Act of 1987.

"We need to implement a framework that ensures that when systems interconnect with each other, there is a uniform management infrastructure and universal benchmark for measuring the risks and vulnerabilities of federal information systems," Davis said at a hearing of the House Government Reform subcommittee on government efficiency, financial management, and intergovernmental relations. Horn chairs the subcommittee.

Information security is a "constant management requirement that requires eternal vigilance, and the ranking of its importance to federal operations cannot fluctuate from one administration to the next," said Davis, who chairs the Government Reform subcommittee on technology and procurement policy.