ICE Act would restructure cybersecurity rule, create White House post

By Alexander B. Howard, Associate Editor 27 Apr 2009 | SearchCompliance.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

The Information and Communications Enhancement (ICE) Act being introduced by Sen. Thomas Carper (D-Del.), places a federal "cyber office" directly below the president. The National Office for Cyberspace would coordinate cybersecurity response between the Department of Homeland Security, the Department of Defense (DoD), the National Security Agency and the private sector.

More cybersecurity resources Kill-switch bill would add certification, licensing burdens At RSA: Cyberwar, compliance, virtualization and cloud security

The realignment introduced in the ICE bill will follow comments made by Melissa Hathaway, President Barack Obama's acting senior director for cyberspace, calling for the centralization of cybersecurity authority directly under the White House. She stated efforts to defend citizens and networks against cyberattacks are a "fundamental responsibility of our government" during her keynote address last week at RSA Conference 2009 in San Francisco. The ICE Act would also be introduced under the pall created by the data breach of the DoD's $300 billion dollar Joint Strike Fighter program and the U.S. Air Force's air traffic control system.

Under the new legislation, the Federal Information Security Management Act (FISMA) of 2002 would be revisited and reformed. Currently, cybersecurity rule belongs to no one person or agency. More than a dozen federal agencies have claimed responsibility for cybersecurity and respond independently to threats and vulnerabilities. Meanwhile, civilian agencies operate independently of federal agencies.

In addition to enhancing coordination of the various agencies and other stakeholders involved in cybersecurity at the federal level, the bill would link budgetary decisions specifically to strategic policy, said Erik Hopkins, a staff member with the Senate Committee on Homeland Security and Governmental Affairs, in a presentation at RSA. A Senate hearing on the proposal is scheduled for 10 a.m. Tuesday.

Compliance with FISMA would also be changed, directly correlating it with security tools to measure progress, said Alan Paller, director of research at The SANS Institute, a Bethesda, Md.-based nonprofit cybersecurity research group. Instead of offering high grades for compliance under a FISMA checklist, gap analysis and vulnerability assessments would be used to measure the effectiveness of agency cybersecurity preparation.

FISMA measured the wrong things. FISMA needs a fundamental change to enable prioritization of resources so that costs can be controlled and Web application security can go from 'missing' to 'covered.' Alan Paller director of research, The SANS Institute

"FISMA measured the wrong things," Paller said in a panel session last week at RSA. "FISMA needs a fundamental change to enable prioritization of resources so that costs can be controlled and Web application security can go from 'missing' to 'covered.'"

The new FISMA requirements call for government agencies and DoD contractors to comply with a set of prioritized controls that reflect their ability to detect and stop cyberattacks. The Rockefeller-Snowe cybersecurity bill introduced recently contains far-reaching requirements that would cover security infrastructure. Called the kill-switch bill, it would add certification and licensing burdens to agencies and companies alike. The wide-reaching legislation would also give the president the authority to shut down the Internet in the event of a massive cyberattack. The missing ingredient provided by the ICE Act, in Paller's view, is coverage of Internet service providers.

"What we need is granularity," Paller said. "No one wants to turn off all industries."

Under the ICE Act, agencies and all entities that have critical infrastructure that must be secured from cyberattacks will be measured under the "20 Critical Controls" or the Consensus Audit Guidelines outlined by the Commission on Cybersecurity for the 44th Presidency. Decisions to secure infrastructure and agencies will be made based on risk assessments, aligning compliance with regulation with actual security preparedness, Paller said. Under the ICE Act, compliance with FISMA would now be directly correlated with security. Instead of offering high grades for compliance under a FISMA checklist, gap analysis and vulnerability assessments would be used to measure the effectiveness of agency cybersecurity preparation.

Tags: Managing governance and compliance,  Risk management and compliance,  Industry-specific requirements for compliance,  Vulnerability assessment for compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Managing governance and compliance Schmidt: Apply risk management to the nation's cybersecurity threats Business method patents ruling could spell relief from patent trolls How Bilski v. Kappos may define the future of business method patents New ISO 31000 risk management standard receives good early reviews Lack of incident response plan leaves hole in compliance strategy The top regulatory compliance trends for IT operations in 2010 FTC set to examine strength of cloud computing security, privacy Will EMC acquisition put Archer ahead of the enterprise GRC pack? Important regulatory compliance trends that will affect IT in 2010 Build data protection around intrusion detection, access controls Risk management and compliance Schmidt: Apply risk management to the nation's cybersecurity threats 'Sexting' case should prompt review of employee privacy policy Business method patents ruling could spell relief from patent trolls How Bilski v. Kappos may define the future of business method patents Information security and compliance in the life sciences, revisited New ISO 31000 risk management standard receives good early reviews How to implement encryption to manage regulatory compliance risk FTC set to examine strength of cloud computing security, privacy Unified Compliance Framework unties overlapping compliance standards Life sciences have special information security and compliance needs Industry-specific requirements for compliance Schmidt: Apply risk management to the nation's cybersecurity threats 'Sexting' case should prompt review of employee privacy policy Business method patents ruling could spell relief from patent trolls How Bilski v. Kappos may define the future of business method patents Information security and compliance in the life sciences, revisited New ISO 31000 risk management standard receives good early reviews The top regulatory compliance trends for IT operations in 2010 How to implement encryption to manage regulatory compliance risk FTC set to examine strength of cloud computing security, privacy Important regulatory compliance trends that will affect IT in 2010

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary IT controls  (SearchCompliance.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary