More criticism of the Federal Information Security Management Act was on the agenda for a March 24 hearing of the Committee on Oversight and Government Reform, where government management, organization and procurement was discussed.

The subcommittee chairwoman, Rep. Diane Watson, (D-Ca.) introduced legislation Monday that would reform the law. Among its provisions is the creation of a White House National Office of Cyberspace and a requirement that federal agencies perform continuous automated monitoring of IT systems.

The Federal Information Security Amendments Act of 2010 is not dissimilar from a Senate bill introduced last year that since has not moved from committee.

"It's clear that the notion of being in compliance with current law does not equal having adequate security across an agency's IT infrastructure," Watson said during the hearing.

Testifying in support of the bill was John Gilligan, a former Air Force chief information officer, now head of a private consultancy.

"In my view, the implementation of FISMA has been like getting on a treadmill as a means to go to a destination," Gilligan said in prepared testimony. "A treadmill is great if all you want is exercise, but it is not the way to reach a destination.," he added.

Gilligan cited a collection of measures and controls he helped develop with the Center for Strategic and International Studies called "20 Critical Controls" as a way of tackling the vast majority of cybersecurity holes without additional expense.

The methodology hasn't seen widespread adoption in part because FISMA grades federal agencies on a different set of criteria, and also because the controls greatly lessen or even eliminate individual user autonomy.

"No longer can users download software which may or not include malicious code when they desire. Also, local administrators can no longer tinker with the configurations to 'optimize' the system," Gilligan noted.

Overcoming resistance will require "very strong leadership," Gilligan said.

For more:
- check out the subcommittee's hearing page, which includes video and prepared statements.
- go directly to John Gilligan's prepared testimony (.pdf)
- read H.R. 4900, the Federal Information Security Amendments Act, (html)
- read this nextgov blog post on the bill

Related Articles
OMB wants real-time cybersecurity
FBI's Chabinsky: Cybercrime is a profession
GAO raps feds on cybersecurity