Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 01/20/03 web stories

Sen. Edwards introduces information security bill

By William Jackson, GCN Staff

Sen. John Edwards has introduced a bill that would require agencies to identify vulnerabilities in their systems and set up timetables for eliminating them.

The North Carolina Democrat’s National Cyber Security Leadership Act of 2003 would also mandate the use of IT security standards and guidelines established by the National Institute of Standards and Technology.

The bill, introduced Jan. 16, has been referred to the Senate Governmental Affairs Committee.

Edwards said he introduced S 187 because of the dismal performance of many agencies in the most recent rounds of evaluations by the Office of Management and Budget, the General Accounting Office, and the House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations. He said the government’s lax efforts set a poor example for the private sector and offer little incentive for federal contractors to upgrade security.

The bill would require agency CIOs to:

  • Identify significant vulnerabilities in IT systems
  • Establish performance goals for eliminating the weaknesses
  • Evaluate performance at least quarterly.


    • NIST would be charged with developing guidelines within six months to address the vulnerabilities. The guidelines could become mandatory unless agencies received exemptions. The bill would authorize $1 million next year for the NIST work.

    The bill complements the Federal Information Security Management Act, which was incorporated in the Homeland Security Act of 2002.

    FISMA requires agencies to assess risks to IT systems and to provide “information security protections commensurate with the risk.” It also requires development of security programs, annual evaluations of the programs and annual reports to OMB. The OMB director, who must see that IT security is incorporated adequately in each agency’s programs and budgets, must make a status report to Congress each year.

    FISMA also requires development of NIST security standards and guidelines but does not make their use mandatory by agencies.



    More news on related topics: IT Security



    GCN Popup