FISMA Reform Heads to Senate FloorCommittee Also Approves Two Other Cybersecurity Bills
The Senate moved a significant step closer to updating the 12-year-old law that governs federal information security when the Homeland Security and Governmental Affairs Committee on June 25 approved the Federal Information Security Modernization Act.
See Also: 57 Tips to Secure Your Organization
The Senate committee also passed two other cybersecurity-related bills, but enacting a law to reform the Federal Information Security Management Act would be a major, long-overdue accomplishment. Congress hasn't enacted a significant piece of cybersecurity legislation since 2002, when the E-Government Act, which included FISMA, became law.
Passage of the Federal Information Security Modernization Act isn't a sure thing. With the looming midterm elections, competition from other bills for precious time for floor debate and a dysfunctional Congress, there's no guarantee that Senate leaders will schedule a vote on the bill. Even if FISMA reform passes the Senate, it would have to be reconciled with a House version of the bill, which could be a time-consuming process with few legislative days left in 2014 (see: FISMA Reform Passes House on 416-0 Vote).
Still, FISMA reform could reach President Obama's desk. It's relatively noncontroversial compared with most other bills and has strong bipartisan support. And in a Congress that has not enacted much legislation, the Federal Information Security Modernization Act could be something lawmakers on both sides of the aisle could tout to voters to show they're taking decisive action on the growing concerns surrounding cyberthreats.
The modernization act would codify actions the Obama administration has taken in recent years, such as giving the Department of Homeland Security sway over getting other civilian agencies to comply with IT security best practices, implementing programs such as continuous monitoring and moving agencies away from paperwork-heavy processes toward real-time and automated security. The bill also would put greater management and oversight attention on data breaches.
If enacted, the bill would be a big accomplishment for Committee Chairman Tom Carper, D-Del., who's been championing FISMA reform for six years. "Cybersecurity is one of our nation's biggest challenges," Carper said in a statement. "That's why it's imperative that we face this 21st century threat with a 21st century response."
The committee also passed the National Cybersecurity and Communications Integration Center Act, aimed at strengthening the center, a Department of Homeland Security operation that houses the U.S. Computer Emergency Readiness Team.
The committee amended the legislation to make it clear that it will not grant additional regulatory or rulemaking authority or rulemaking to the Department of Homeland Security. Sen. Ron Johnson, R-Wis., introduced that amendment
The act would designate the center as the federal civilian information sharing interface for cybersecurity, Carper says. "We believe the specific authorization and clarity in the law this bill would provide will help DHS carry out its cyber mission more efficiently," he says. "It helps the private sector and other stakeholders know exactly what the government can and cannot do under law."
A similar bill, the National Cybersecurity and Critical Infrastructure Protection Act of 2013, is currently before the House Homeland Security committee (see: Cybersecurity Bill Advances in House).
Streamlining IT Acquisitions
The third bill passed by the committee, the Federal Information Technology Acquisition Reform Act, would streamline agencies' IT acquisitions and require the president to appoint the CIO of federal departments and major agencies. It passed the House in February.
An amendment to this bill, approved by the committee, gives CIOs enhanced powers throughout an agency's planning, programming, budgeting and execution processes.
The bill would enhance transparency and improve risk management in IT investments; create a governmentwide software purchasing program; and establish requirements for the federal data center consolidation initiative.
(Executive Editor Eric Chabrow contributed to this story.)