New security provisions in draft U.S. ICE legislation

The draft U.S. Information and Communications Enhancement (U.S. ICE) legislation expected to be introduced by Senator Tom Carper (D – Del.) addresses and tries to remedy many of the shortcomings in the Federal Information Security Management Act (FISMA). The feature drawing the most attention recently is the position and corresponding office that would be created in the legislation of an executive branch Director of the National Office for Cyberspace. This new role would provide direct oversight of federal agency security programs (civilian and defense), including reviewing and approving agency information security programs mandated under FISMA. For security architects, there are a number of very interesting provisions in the law. These include:

• Annual reporting on the overall security posture of the federal government, including a detailed assessment of the effectiveness of information security programs in each agency. The agency-level evaluations will look at the effectiveness of virtually all aspects of security programs, including monitoring, detection, analysis, protection, reporting, and response.
• Development and implementation of government-wide policy, guidance, and regulations to standardize security requirements for commercial off-the-shelf (COTS) products and services purchased by the government. This provision would presumably build on the approach of the Federal Desktop Core Configuration, which mandates minimum security settings for government computers running Windows operating systems.
• A shift in the emphasis of explicit agency information security responsibilities away from compliance with recommended controls towards a model of on-going assessment of the effectiveness of implemented security controls. Specifically, the bill would require “continuously testing and monitoring information security controls and techniques to ensure that they are effectively implemented.”
• A new requirement to establish, maintain, and update enterprise network, system, storage, and security architecture framework documentation explaining how security controls are implemented within the agency’s information infrastructure and how those controls provide the appropriate level of security (in terms of confidentiality, integrity, and availability). The emphasis on documenting how controls are implemented instead of merely reporting what controls would be a significant departure from conventional security thinking and reporting in the federal government.
• Agency information security program responsibilities would be augmented to include not just periodic risk assessments (already called for in FISMA) but also penetration tests for agency information systems. Noted experts in security and, especially, incident response such as Richard Bejtlich have been consistent voices calling for less “paper compliance” and more testing, particularly testing that goes beyond automated vulnerability scanning or system security test and evaluations done within the federal certification and accreditation processes. Those with a fondness for semantics may be interested to note that although FISMA does call for annual independent evaluations of program effectiveness, the law is quite vague as to the methods to be used for such evaluations, and the use of the word “penetration” does not appear anywhere in the text of FISMA.
• Lastly, the bill would take the first step towards standardizing minimum security requirements across agencies, presumably with a corresponding influence on the levels of risk deemed acceptable by agencies when authorizing systems for operation in their environments. The draft U.S. ICE legislation directs the Commerce Secretary (through NIST) to set unified standards for national security systems and information systems, including minimum information security requirements (agencies can employ more stringent standards). In another departure from precedent, these standards will be compulsory and binding.