Government Computer News
House gives urgency to IT security
Along with OMB guidance, agencies under pressure to do more
Digg
De.licio.us
Slashdot
Technorati
Image: Rick Steele
Rep. Tom Davis was expected to release information about agencies’ past data breaches.
Laying down the law on IT security
OMB’s latest guidance on data breach notification, based on direction from the President’s Identity Theft Task Force, recommends that:
- Agencies establish core management groups responsible for responding to the loss of personal information
- Core response groups perform risk analysis in the event of a breach to determine potential for identity theft
- Agency response should be based on the level of risk for identity theft, such as advising those potentially affected, providing credit services and public notice.
- Directs OMB to establish data breach policies and procedures
- Gives CIOs enforcement authority, when an agency head delegates it, over data breach policies and inventory of IT containing personal data
- Requires that individuals be notified if their personal information could be compromised by a data breach at a federal agency
- Requires that the agency’s chief human capital officer perform an accounting of federal property assigned to employees who are leaving
- Defines sensitive personal information as any information about the individual held by the agency.
A sense of urgency over seemingly endless data leaks drove the House recently to pass legislation that tightens requirements under the Federal Information Security Management Act for all agencies. Additionally, Rep. Tom Davis (R-Va.), sponsor of the bill, was expected to release more information about agencies’ past data breaches. Sources called the information potentially “astounding.”
Davis was expected to issue the report after press time.
Davis packaged his bill, HR 6163, the Federal Agency Data Breach Protection Act, in another piece of legislation aimed at shoring up data security at the Veterans Affairs Department, the Veterans Identity and Credit Security Act, HR 5835. The Senate must now vote on the bill.
OMB officials said they view the House bill as helping agencies meet FISMA’s standards for security requirements.
“We support efforts that strengthen this important tool,” said an OMB spokeswoman.
Appalled at the flood of data breaches, most spectacularly the incident in which a VA employee lost data on millions of veterans, Davis sought from agencies summaries of data breaches that occurred over the past three years. In one case, the Commerce Department revealed that it couldn’t account for 1,100 notebook PCs, including some containing personal Census Bureau data, because it did not track inventory.
The deluge of data breaches caused swift action in both the executive and legislative branches (see chart). But while OMB, which has come out with several guidance documents since June, is pushing policy and best practices, congressional officials said their bills carry more weight.
“Davis’ bill has far more teeth than OMB’s guidance to date,” said Dave Marin, spokesman for the House Government Reform Committee, which Davis chairs.
The bill requires agencies to adhere to IT security improvements, such as timely notice to individuals whose sensitive information may be compromised, centralizing data security enforcement under the CIO when authorized and ensuring that hardware containing personal information is maintained and accounted for, he said.
“Until now, there was no requirement that people be notified if their information is compromised,” Marin said.
Despite the compelling need for congressional response, it is uncertain whether the Senate will pass a version of the VA IT security bill, with or without Davis’ FISMA language, Marin said.
| |||
| Latest News |  WashingtonTechnology.com |
FCW.com |
|
GCN.com
The latest technology news from GCN.com
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
 |
![1105 Government Information Group [valor]](/images/1105logo_website.gif "Government Computer News [valor]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
