Data Thefts Breeds Changes in IT Security Policy and Legislation

Aug. 11, 2006
Legislation introduced aims to address Issues of decentralized network and organizational structure

RESTON, Va., Aug. 10 -- The recent data loss incidents at the Department of Veterans Affairs (VA) have led Congress to take aim at forcing IT (information technology) security organizational changes and process improvements at the VA and other federal departments and agencies, according to a report released by INPUT, an authority on government business. The recent VA data theft of 26.5 million records was the first in a series of similar public announcements of stolen or lost employee and citizen personal information from government computers and networks.

"The root cause of these incidents, and the root cause of most of the security problems facing the federal government on a fairly consistent basis for the last decade or longer, is culture," said Bruce Brody, vice president, information security at INPUT. "Some departments and agencies are worse than others, but to some extent, they all follow a tradition of decentralization and autonomy of subordinate operating administrations."

Current efforts to improve information security that are expected to play out in the coming months include legislation expected to affect changes in the VA's organization and FISMA (Federal Information Security Management Act). Legislation has been introduced to elevate the position of the VA Chief Information Officer (CIO) to an under secretary and to modify FISMA to clarify the enforcement authority of the CIO. From the time FISMA legislation is passed, the CIO at decentralized departments and agencies will no longer be able to simply issue policies, but will also be tasked with enforcing those policies by holding people accountable for violating them.

INPUT expects a burst of contracting activity at the VA in the area of networking and operations, as the Department attempts to expend nearly $200 million in end-of-year IT dollars to shore up its infrastructure. Vendors holding Basic Purchase Agreements (BPAs) may be fortunate beneficiaries of the windfalls, but vendors who are not already on existing VA BPAs still have the opportunity to be placed as subcontractors if they make the case to senior VA officials that their security solutions will put the necessary controls in place to protect sensitive veteran information. The most likely expenditures in the coming months will be in the area of IT operations, most of which is in the field.

"It is likely that all departments and agencies across the Executive Branch have heard the impassioned arguments for centralized management approaches, and even the most recalcitrant departments and agencies may be forced to move in that direction," stated Brody. "Moreover, the FISMA legislation is about to be changed in a very important way, with the CIO being given enforcement authority for security policies across the Executive Branch, and that might be just the beginning of the reforms that the FISMA legislation needs. With the potential changes resulting from the upcoming elections in November, FISMA will likely be revamped to begin measuring security, and that would be a tremendous boon to federal information security."