The so-called FISMA Act of 2008, which was introduced in the Senate on Sept. 11 and is officially known as S. 3474 , is designed to address some of those concerns. For instance, the bill would require all agencies to create a chief information security officer's position with specific duties and authority. It also calls for the creation of a CISO council that would set security guidelines and best practices.

In addition, the bill would require formal and standardized security audits at agencies, instead of mere "evaluations," and impose new reporting requirements. And IT vendors that sell products to government agencies would need to comply with certain FISMA mandates.

According to the CBO, federal agencies spent about $6 billion meeting the FISMA requirements last year. Its projected cost increase of about $150 million per year if the proposed bill is approved represents a 2.5% hike in the current spending level.

But some security analysts think that the added-cost figure might be overblown. "I think the CBO estimate was just a wild stab," Gartner Inc.'s said, adding that the size of the projected increase is "really hard" to envision considering the relatively small extent of the changes being proposed to FISMA.

For instance, while agencies would have to designate CISOs, those positions wouldn't necessarily have to be full-time positions, according to Pescatore. Instead, the CISO role could be handled by someone whose existing job primarily involves security responsibilities. "So this doesn't really even mean any new hires for most agencies," Pescatore said. Similarly, he added that while the creation of a CISO council will add some spending at the executive level, it is unlikely to be a big cost factor.