From: GovInfoSecurity

Infosec Reform Rests on Fate of Tax Extension
December 9, 2010 – Eric Chabrow

There’s life still yet in legislation to significantly change the way IT security would be governed in the federal government. But the fate of the cybersecurity measure in these waning days of the 111th Congress rests in the Senate, where Republicans first want passage of a deal between President Obama and GOP lawmakers to extend the Bush-era tax cuts to everyone.

The cybersecurity measures are contained in the National Defense Authorization Act, a House-passed bill that has stalled in the Senate because of a provision to repeal the don’t ask, don’t tell law that bars gays from serving openly in the military. Several Republican senators – including cybersecurity reform champion Susan Collins of Maine – suggest they would vote for cloture – allow the full Senate to vote on the bill – but first want the tax compromise addressed. Collins also says she wants Senate Majority Leader Harry Reid, D-Nev., to allow more time for debate on the defense act to get her backing on cloture.

The original National Defense Authorization Act only addressed military cybersecurity matters, but in May – shortly before the House approved the bill – Reps. Diane Watson, D-Calif., and James Langevin, D-R.I., successfully attached a rider to the measure that would make momentous changes in how the federal government manages IT security.

The most dramatic change to IT security governance in the bill would be the creation of a National Office of Cyberspace within the White House, with a Senate-confirmed director, to coordinate and oversee the security of agency information systems and infrastructure. This office would have strong budgetary oversight powers that are backed by financial pay-for-performance authorities, while remaining accountable to Congress. Other provisions would:

•Establish a Federal Cybersecurity Practice Board within the cyberspace office to develop policies and procedures for agencies to adhere to in meeting Federal Information Security Management Act statutory requirements and to oversee the implementation of approved standards and guidelines developed by the National Institute of Standards and Technologies.

•Require agencies to undertake automated and continuous monitoring of their systems to ensure compliance and identify deficiencies and potential risks caused by cyber incidents or threats to an agency’s information technology assets.

•Order agencies to obtain an annual independent audit of their information security programs to determine their overall effectiveness and compliance with FISMA requirements.

•Develop secure acquisition policies to be used in the procurement of information technology products and services.

•Create the Office of the Chief Technology Officer within the White House to work collaboratively across the government and private sector to analyze and improve the use of information technology.

Still, passage is far from a done deal, considering the make up of a Senate that’s geared more toward obstructing than passing legislation. Yet, the bill isn’t dead; a faint pulse can be felt.