House Oversight and Reform Committee leadership today unveiled their draft legislation to make major changes to the 2014 Federal Information Security Management Act (FISMA) that sets cybersecurity requirements for Federal civilian agencies.
The committee’s top leadership emphasized that the broad aims of the legislation enjoy significant measures of bipartisan support on the committee, as well as with sponsors of similar legislation approved by the Senate Homeland Security and Governmental Affairs Committee in October 2021.
Core aspects of both bills have been developed with input from the Biden administration, and include several major aspects of the administration’s cybersecurity executive order published in May 2021.
According to a summary of the House draft legislation, the Federal Information Security Modernization Act of 2022 released by House Oversight Chairwoman Carolyn Maloney, D-N.Y., and ranking member James Comer, R-Ky., the bill looks to update the FISMA statute “with a clear, coordinated, whole-of-government approach to federal cybersecurity.”
Broadly in line with the Senate legislation, the proposed House bill would:
- Put Federal cybersecurity policy development more squarely the hands of the Office of Management and Budget for policy development and oversight; give “operational coordination responsibilities” to the Cybersecurity and Infrastructure Security Agency (CISA), and vest “overall cybersecurity strategy responsibilities” to the National Cyber Director;
- Require CISA to “expeditiously seek opportunities to remove barriers to agency cybersecurity efforts through shared services and technical assistance”;
- Codify into the law the position at Federal Chief Information Security Officer (CISO) at OMB;
- Take a risk-based cybersecurity posture “with ongoing and continuous risk assessments that will allow agencies to prioritize cybersecurity risks with accurate, real-time information about the agency’s posture and threats”;
- Promote “cybersecurity modernization and next-generation security principles like a risk-based paradigm, zero trust principles, endpoint detection and response, cloud migration, automation, penetration testing, and vulnerability disclosure programs”;
- Reduce the frequency of the now-annual FISMA assessments for Federal agencies and instead allow agencies to “prioritize cybersecurity risks with accurate, real-time information about the agency’s posture and threats”;
- Require continuous monitoring of systems and ease compliance burdens through the use of automation technologies;
- Require Federal agencies to keep inventories of “all internet-accessible information systems and assets, as well as all available software bills of materials, for improved situational awareness”; and
- Improve sharing of cyber incident information between Federal agencies and oversight entities including Congress.
In unveiling the draft legislation today, the committee emphasized that Reps. Maloney and Comer “are working closely on the shared goal of FISMA reform.”
“In drafting House companion legislation, the Committee has been coordinating with Chairman Gary Peters and Ranking Member Rob Portman of the Senate Committee on Homeland Security and Governmental Affairs, as well as the Administration’s key cybersecurity leadership and industry stakeholders,” it said.
Speaking at a committee hearing today, Rep. Maloney thanked Rep. Comer “for his partnership and diligence in working on the discussion draft with me.” She added, “We are committed to perfecting the bill together, and I’m confident that today’s hearing will help our bipartisan, bicameral coalition get this priority across the finish line this year.”
For his part, Rep. Comer voiced his support for FISMA reform that does not place undue burdens on agencies.
“A modern update to FISMA will ensure federal agencies, in coordination with the private sector and government contractors, can better protect, disrupt, and deter damaging digital intrusions,” he said. “In examining FISMA, we need to clearly understand the full scope and evolving nature of cybersecurity challenges our government faces before enacting systemic changes.”
Noting recent Senate and Biden administration action in the FISMA arena, Rep. Comer called those “important steps, ones that the Chairwoman and I hope to build upon to ensure reforms do not unnecessarily impose restrictive burdens, duplication, or complication.”
“FISMA reform must provide agencies with the authority to effectively address threats with speed and precision, while also freeing time to continuously monitor new and emerging threats as they arise,” he continued.
“Any reform must enable federal agencies to respond to an incident in real-time to mitigate damage, fix the problem, and effectively share critical information about the attack so it does not happen again,” Rep. Comer said. “Burdensome red tape requirements for coordination and outdated compliance checklists cannot remain significant hurdles when responding to major cyber incidents.”
“We greatly appreciate OMB’s technical assistance, and have honored an overarching request to avoid imposition of overly burdensome, bureaucratic reporting and compliance controls which hamper agencies from addressing daily cybersecurity challenges,” he said.
Rep. Maloney also singled out Rep. Gerry Connolly, chairman of the House Government Operations Subcommittee, for his work on IT issues in general and on the FedRAMP Authorization Act, which passed the House last year and awaits action in the Senate.
Rep. Connolly said at today’s hearing that FISMA is a “fundamental component” of Federal agency security. But he added that the current version of the law predates many of the more advanced cybersecurity threats that the government faces, and that critics of the current statute view its requirements as “sometimes onerous and overly focused on compliance rather than on actually mitigating potential cyber threats.”
“We must take more proactive cyber measures that ensure government runs on modern, well-designed IT,” Rep. Connolly said, adding that his FedRAMP legislation would help in that effort.
GAO Evaluation Ongoing
Jennifer Franks, Director of Information Technology and Cybersecurity at the Government Accountability Office (GAO), testified at today’s hearing about preliminary results from GAO’s ongoing review of how Federal agencies have been implementing FISMA, and the results – although somewhat dated – were not particularly encouraging.
“Our preliminary results indicate varying levels of effectiveness of Federal agencies’ implementation of FISMA requirements,” she said. GAO’s review shows that as of Fiscal Year 2020, only seven out of 23 civilian CFO Act agencies had “effective agency-wide information security programs,” she said, adding that most agencies were then struggling with “core functions of identify, protect, detect, and recover.”
“On a positive note, more agencies were indeed meeting the cybersecurity goal of taking appropriate actions needed to respond to a cybersecurity incident,” Franks said.
Regarding barriers that agencies identified to better implementation of the law, Franks cited a lack of resources and a focus on compliance via annual reviews as two factors. When asked for suggestions to improve implementation, she said most agencies did not bring up a legislative fix but did suggest reducing the frequency of FISMA inspector general reviews, among other items.