The newly-proposed Federal Information Security Amendments Act has been accepted by the Oversight Committee and will now go before the entire House for approval.
As the details become clear, the amendments would mean new responsibilities for federal agencies and increased monitoring of both government and private sector resources. Each agency would be required to designate a Chief Information Security Officer (CISO) charged with implementing the new policies, overseeing training and responding to incidents. The bill also establishes a Federal Information Security Incident Center to help agencies competently respond to successful intrusions (a resource noticeably lacking in the current paradigm). The major shift in policy would draw agencies away from the current compliance mindset and “checklist” methodology. But as defense contractors and private industries (deemed “critical infrastructure”) are drawn into new plans for increased monitoring, what are the implications to privacy?
While some initiatives to expand information sharing have been targeted by organizations like the EFF as vague and intrusive, there continue to be voices in congress that would lump FISMA reform in with increased federal monitoring of private telecom assets. However, the most recent executive order addressing information sharing in the private sector makes some improvements over past legislation. Primarily, it redirects information downstream. Federal agencies would be encouraged to share with companies the information they gather on new malware and persistent threats. Additionally, an executive order by nature can only act within its existing power, meaning the newest order cannot exempt companies from privacy statues, or let the government collect new information. Still, we can expect any bill (new or otherwise) seeking to expand (or capitalize on) these directives to tow the line on privacy.
As FISMA reform exists today, it outlines positive steps for federal agencies and addresses previous neglected areas in their cyber-defense posture. But advocates of domestic surveillance are always waiting in the wings. And while “cyber threats” have replaced “international terrorism” as the chief obstacle to national security, one thing hasn’t changed: abstract threats are still being tested as justification for eroding civil liberties. It remains to be seen whether these beneficial cyber-security directives will escape the House unadulterated.
What changes to you think might come into play as the bill traverses the House? Let us know in the comments below.