FISMA Reform Bill Introduced in HouseMeasure Would Replace Checkbox Mindset with Monitoring
Legislation to reform the Federal Information Security Management Act, the law that governs federal government IT security, has been introduced in the House of Representatives.
The bipartisan Federal Information Security Amendments Act of 2013 would require federal agencies to continuously monitor their IT systems for cyberthreats and implement regular threat assessments.
Under the bill, each department secretary and agency director would be held accountable for their organization's IT security. Though most federal agencies have chief information security officers to coordinate IT security activities, the new FISMA legislation would require them to have CISOs to develop, implement and oversee agencywide IT security programs. The bill would require each CISO to have the "necessary qualifications" that include education, training, experience and security clearance.
The bill, HR 1163, is sponsored by House Oversight and Government Reform Committee Chairman Darrell Issa, R-Calif.; Ranking Member Elijah Cummings, D-Md.; Government Operations Subcommittee Chairman John Mica, R-Fla.; and Subcommittee Ranking Member Gerry Connolly, D-Va.
Addressing FISMA's Deficiencies
"Federal agencies are struggling with cybersecurity threats," Issa says in a statement announcing the bill's introduction. "This update to FISMA will incorporate the last decade of technological innovation, while also addressing FISMA shortcomings realized over the past years."
Those shortcomings focus on the compliance aspect of FISMA, which over the years has created a checkbox mindset in the federal government, grading agencies on the security items they can check off a list to impress auditors, rather than to monitor systems continuously to determine if they're secure.
Cummings says the bill would ensure that federal agencies employ a risk-based approach to defend against cyberattacks. Among the requirements of the bill would be penetration testing in which so-called white-hat hackers break into government IT systems to identify vulnerabilities.
The sponsors didn't provide a copy of the legislation, introduced March 14, but said it was akin to an identically named bill that unanimously passed the House last year but never came up for a vote in the Senate, HR 4257 [see Bill Updating FISMA Clears House].
In the last Congress, the Republican-led House enacted a series of bills aimed at improving cybersecurity in the government and nation. Besides the Federal Information Security Amendments Act, the House last year approved the Cyber Intelligence Sharing and Protection Act, known as CISPA, as well as the Cybersecurity Enhancement Act of 2011 and reauthorization of the Networking and Information Technology Research and Development. The Senate combined many of the goals - although not necessarily the language - found in the various House bills into the Cybersecurity Act of 2012, comprehensive legislation that never came up for a vote because of a filibuster mostly supported by Republicans [see Senate, Again, Fails to Halt Filibuster ].
The Republican and Democratic leaders of the House Select Permanent Committee on Intelligence earlier this year introduced a nearly identical version of CISPA [see Is Compromise in Offing for CISPA?], which last year President Obama threatened to veto over privacy concerns [see Obama Threatens to Veto Cybersecurity Bill]. That bill provides for liability protections for businesses that share cyberthreat information with the government.
Absent from the Federal Information Security Amendments Act are provisions that would grant the Department of Homeland Security increased authority to oversee federal civilian agencies in the implementation of information security. The Obama administration, backed mostly by Senate Democrats, has ceded some of the Office of Management and Budget oversight of government IT security to DHS, and the Cybersecurity Act of 2012 would have codified that. Distrust exists among some lawmakers about giving that kind of authority to DHS, and contention last year over Homeland Security's role in governing IT among civilian agencies is one but not the only reason the Cybersecurity Act never came up for a vote.
Prospects for Passage
Put aside the role of DHS in governing civilian agency IT security, nearly universal agreement exists among lawmakers for the types of FISMA reforms found in the Federal Information Security Amendments Act. At a time when the cyberthreat is becoming part of the general public's consciousness, and less partisan rhetoric on cybersecurity emanates from the White House and Capitol Hill, the prospect of enacting FISMA reform is stronger than ever.
White House Cybersecurity Coordinator Michael Daniel acknowledges a more civil tone from all sides on the need for cybersecurity reform because of the growing attention to cyberthreats [see Daniel Sees Path to New Infosec Law]. "There's a greater awareness of the problem and a greater awareness that we do need to take action in this space," Daniel says in an interview with GovInfoSecurity. "I do think that there are some changes since the previous Congress that do raise the likelihood that we'll get legislation."