via Info Security
The Obama administration’s proposal on cybersecurity transmitted to Congress this week makes long-needed changes to the Federal Information Security Management Act (FISMA), judges to Alan Paller, research director at the SANS Institute.
The White House proposal, which is a comprehensive cybersecurity plan, includes a provision directing the Department of Homeland Security (DHS) “to exercise primary responsibility within the executive branch for information security. This includes implementation of information security policies and directives and compliance” with FISMA, except for national security systems.
This would in effect shift FISMA implementation responsibility away from the Office of Management and Budget (OMB) and the National Institute for Standards and Technology (NIST) to DHS, “where the knowledge of attacks informs the defense”, Paller said.
“The great failure of federal cybersecurity for the last decade was that it was a paperwork exercise because no one who knew how the attacks were done had any role in it”, he told Infosecurity. “DHS has already demonstrated that they are focusing on the critical controls….They are focusing on effectiveness measures, rather than make work”, he added.
The proposal would also expand the DHS authority over cybersecurity of private networks, particularly critical infrastructure. DHS would have the authority to develop and conduct risk assessments of private sector critical infrastructure systems and share information with the private sector about threats and best practices.