Bill Updating FISMA Clears HouseLegislation Would Require Continuous Monitoring of Agency IT
The dispute over privacy and regulation surrounding the House vote on the Cyber Intelligence Sharing and Protection Act (see With CISPA Passage, What Next?) drowned out passage of legislation that's more critical to those held responsible for securing federal IT systems and data: a bill to update the Federal Information Management Security Act of 2002.
While CISPA's approval was far from unanimous - it passed on a 248-168 vote - the House on April 26 also passed the Federal Information Security Amendments Act by a voice vote. (Two other cybersecurity bills passed the House with little opposition and also head to the Senate: the Cybersecurity Enhancement Act of 2011 and reauthorization of the Networking and Information Technology Research and Development.)
It's not that the FISMA update doesn't have contentious elements; it does, but debate on whether to give the Department of Homeland Security more sway over federal government IT security governance will wait for another day.
The Federal Information Security Amendments Act reaffirms the primary role of the Office of Management and Budget on federal government IT security governance. Legislation reforming FISMA before the Senate is contained in the more comprehensive Cybersecurity Act of 2012, and that bill would give DHS more authority in determining IT security policy for non-intelligence, civilian agencies. The Obama administration supports elevating the role of DHS in federal IT governance, but a number of lawmakers oppose giving the department such clout. The Senate has yet to schedule a vote on the Cybersecurity Act. Any differences between the bills would have to be resolved in a Senate-House conference.
Lawmakers generally agreed on most provisions contained in the Federal Information Security Amendments Act, which is aimed at tightening security for federal government IT systems.
The measure would require federal agencies to implement automated and continuous monitoring to mitigate risks before a cyber incident occurs. Specifically, the legislation would direct senior agency officials to conduct continuous risk testing and evaluation of security controls and techniques as well as perform threat assessments by monitoring information infrastructure and identifying potential system vulnerabilities. Current law requires only periodic testing and evaluation. The legislation also would require agencies to use automated and continuous monitoring to report security incidents to the appropriate security operations center and agencies' inspectors general.
Another provision of the bill would expand the term "information security" to include authentication, which it defines as the use of digital credentials to assure users' identities and validate access.
Other provisions of the Federal Information Security Amendments Act would:
- Delegate to agency chief information officers the authority to develop, implement and oversee agencywide information security programs.
- Extend the security requirements of federal agencies to include responsibilities to ensure complementary and uniform standards for information systems and national security systems, secure facilities for classified information and maintain sufficient personnel with security clearances.
- Direct agencies to determine information security levels in accordance with information security classifications and standards promulgated under the National Institute of Standards and Technology Act.
- Order agencies to collaborate with OMB and appropriate public and private sector security operations centers on cybersecurity incidents that extend beyond the control of an agency.