Turf battles loom over info security proposal

Federal officials testifying on Capitol Hill supported efforts to standardize and improve information security, but they disagreed regarding the best way to achieve these goals.

Information security was the chief topic May 2 at a meeting of two House Government Reform subcommittees to examine the Federal Information Security Management Act of 2002, H.R. 3844, introduced by Rep. Tom Davis, R-Va., in March.

FISMA, as the legislation is called, would re-authorize the Government Information Security Reform provisions passed in the defense authorization act in 2001. It also would strengthen provisions of the original law by requiring development of and compliance with minimum mandatory management controls for securing information and information systems.

Robert Dacy, director of information security with the General Accounting Office, and Benjamin Wu, Commerce Department deputy undersecretary for technology administration, most strongly supported the Davis bill as drafted.

Wu, on behalf of the National Institute of Standards and Technology, recommended that NIST be responsible for developing governmentwide standards for information security, including the authorization of $20 million in funding for its security program.

But he disagreed with FISMA's proposal to have the director of the Office of Management and Budget issue standards and guidelines. That function should remain with the Commerce Secretary, he said.

However, Mark Forman, OMB's associate director of information technology and e-government, suggested that creating new standards or implementing new information security technologies will not improve overall security unless OMB first assists agencies in getting management weaknesses under control.

Forman also argued against trying to establish a single uniform standard for information security to be applied across all agencies.

That point ? that information security measures require flexibility ? was echoed in the testimony of Daniel Wolf, director of the information assurance directorate at the National Security Agency, and Ronald Miller, chief information officer for the Federal Emergency Management Agency.

James Dempsey, deputy director of the nonprofit Center for Democracy and Technology, questioned the focus in FISMA on information rather than information systems. "The bill ... seems to equate security with secrecy," he said.

After the hearing, Davis spokesman David Marin said opposition to the bill was not unexpected.

"This is stuff we've heard before. We understand the resistance to cultural change," Marin said. "I think there are clearly some turf battles to overcome."

The objections raised by the various parties are technical issues that will be addressed when the full committee holds a mark-up on the bill some time in the next two weeks, Marin said.