Agencies, contractors should be held accountable for cybersecurity lapses

“It seems like every single year there is a new piece of cybersecurity legislation that gets introduced, the ‘new cybersecurity law’, and none of them end up making it to law….Frankly, all of the legislation that I see, including the comprehensive cybersecurity initiative, is just one more group saying what we should be doing but no one putting actionable items in place to make things happen”, Adams told Infosecurity.

Adam said that the cybersecurity bill introduced by Rep. Jim Langevin (D-R.I.) earlier this year was an exception to this general trend.

In March, Langevin introduced a bill that would, among other things, require federal agencies to implement automated and continuous monitoring of their information systems to ensure compliance with the Federal Information Security Management Act (FISMA) and identify deficiencies in information system security. Federal agencies and contractors would also be required to conduct an annual independent audit of their information security programs to determine compliance.

The bill would give the Department of Homeland Security the authority to establish enforcement mechanisms, including the ability to conduct security audits and issue subpoenas to determine compliance with regulatory requirements for security of critical infrastructure.

Not surprisingly, given Republican control of the House, Langevin’s bill (HR 1136) has languished in committee.

“What I really liked about that bill was the accountability it had. Nothing is going to change until you hit the agencies and contractors where it hurts, which is in the wallet. What I liked about Langevin’s bill is that it moved the audit trail. Right now, the security audit trail in the federal government is a joke. FISMA is a paper audit without any teeth”, Adams said.

Langevin’s bill would have moved the process to a technology-based audit where it would require technology to be put in place to monitor and measure compliance. The result of the security audit would be directly related to funding. “I thought that was a brilliant yet simple move”, the Security Innovation chief added.

To get effective cybersecurity legislation, law makers need to “set aside whether they are Republican or Democrat, because these issues can affect every single citizen in this country”, he stressed.

What’s Hot on Infosecurity Magazine?