The prospects for comprehensive cybersecurity legislation have dimmed as the clock on the congressional lame duck runs out. But that doesn’t mean the computer-security guidelines — the Federal Information Security Management Act (FISMA), largely unamended since 2000 — must remain out-of-date.
A group of former federal cybersecurity experts and professionals came together under the auspices of the Center for Strategic and International Studies more than year ago to make recommendations on how internal federal guidance — namely the Office of Management and Budget’s Circular A-130, could be updated using existing authorities.
Members of the group include:
Frank Reeder, co-founder and director of the Center for Internet Security and the National Board of Information Security Examiners
Karen Evans, national director of the U.S. Cyber Challenge
Dan Chenok, executive director of the IBM Center for the Business of Government
Jim Lewis, director of CSIS’ Technology and Public Policy Program
Alan Paller, director of research at the SANS Institute
The group, which published its findings last month in a report, said the most important recommendation is to improve the continuous monitoring of federal networks.
“Government security experts have told us that the current regime of periodic reports and certifications requires them to spend tens of millions of dollars on reports and processes that do little to enhance security,” the authors wrote in the report’s introduction.