Note to McCain, Obama: Don't forget information security

Regardless of whether you favor Barack Obama or John McCain, you have to admit that the next president will inherit a monumental mess.

Each candidate has been scrambling to explain how he plans to right the financial ship, reign in growing health-care costs, improve education, and balance the budget. Yikes!

As if this wasn't enough, the new president and Congress also have an obligation to figure out how to proceed with a strategic plan for IT and information security.

Now I understand that economic, social, and national security issues should have precedence, but the fact is that the federal government is sort of treading water on a number of highly visible strategic initiatives regarding information security. The issue here isn't new legislation or initiatives, however. It is finishing work that has already been started.

Here are a few examples:

1. The Comprehensive National Cyber Security Initiative (CNCI). This effort grew out of presidential and Department of Homeland Security directives with the goal of standardizing security practices and appointing DHS as the overseer of critical information security infrastructure across all federal agencies. It is estimated that CNCI will ultimately cost around $18 billion to $30 billion. But for now, DHS is asking for $200 million in 2009. As of this writing, these funds have not been allocated to the project.

2. The next revision of the Federal Information Security Management Act (FISMA) of 2002. Back in 2002, FISMA was passed in order to provide a set of guidelines and requirements for federal agencies. Each agency was then graded on a FISMA report card with the results presented to Congress and the public. Several agencies (alarmingly, including DHS) received an "F", while others saw FISMA as nothing more than a series of check boxes with no teeth. To improve the efficacy and benefits of FISMA, the Senate is currently working on the FISMA Act of 2008 (S.3474). As of now, this bill remains in committee.

3. A national information privacy act. The Personal Data and Privacy Act (S.495) has been languishing in the Senate for years. In lieu of national personal-privacy legislation, 42 states have enacted their own laws leading to a messy situation for any organization doing business across the country. Some states like Nevada and Massachusetts now mandate data encryption to protect data confidentiality, but individual laws remains vague and unique.

These examples pale in comparison to the federal train wreck around Homeland Security Presidential Directive 12 (HSPD-12), a well-intended but unfunded effort to standardize identity technologies for federal workers and contractors. In my opinion, the lack of federal funding has rendered HSPD-12 a bad joke inside the Beltway.

As a private citizen, I can't help but lament the tremendous amount of wasted effort here, especially in the face of increasingly dangerous information security threats. Bills are discussed but not passed. Some legislation gets passed and is either ignored or treated as a mere check-box item. Other bills are passed and never funded.

Unfortunately, these examples are a microcosm of a broken, wasteful system. Regardless of who becomes our next president, I'll judge progress in Washington by the government's ability to pass and fund legislation, meet regulatory compliance mandates, improve information security, and strive for constant improvement. I, for one, will be watching carefully.