MITRE Corp., the operator of Federally-funded R&D centers that aim to help the U.S. government with a host of scientific and tech research issues, is advancing a series of recommendations for congressional action on high-profile cybersecurity issues prior to Senate action beginning Nov. 29 on the FY2022 National Defense Authorization Act (NDAA) which features numerous provisions that would impact Federal cyber defenses.
MITRE’s Center for Data-Driven Policy (CDDP) issued its recommendations for congressional action in late October. They focus on, among other issues:
- Federal Information Security Modernization Act (FISMA) reform;
- Strengthening the roles of Federal cybersecurity leadership including the National Cyber Director and the Federal CIO and CISO;
- The pressing need for Federal IT modernization;
- Adoption of a threat-hunting approach for cybersecurity risk management;
- Promotion of zero trust security architectures;
- Modernization of Cybersecurity and Infrastructure Security Agency (CISA) cyber programs including the Einstein and Continuous Diagnostics and Mitigation (CDM) programs;
- Supply chain security;
- Using FITARA as a model for tracking Federal agency progress on cybersecurity; and
- Including cybersecurity progress as a cross-agency priority goal in the Biden administration’s President’s Management Agenda.
“It is time for additional Congressional action to help meet the changing threat landscape facing America today by updating law and policy regulating Federal government cybersecurity, and by funding and overseeing modernization of Federal IT and cybersecurity systems,” the MITRE CCDP said.
Several aspects of the list of MITRE recommendations are addressed – at least in part – by FISMA reform legislation cleared by the Senate Homeland Security and Governmental Affairs Committee in October. That bill is being proposed as amendment to the FY2022 NDAA.
“Law governing Federal agency cybersecurity and oversight last received a major update with passage of the Federal Information Security Modernization Act of 2014,” MITRE CCDP said. “Since then, the government has continued to struggle with both basic cybersecurity hygiene and advanced threats, as borne out by numerous reports from the Government Accountability Office (GAO) and agency inspectors general.”
“Updates are needed to the laws governing Federal cybersecurity to align them with current cybersecurity best practices, to reduce spending on audits and reports, and to clarify roles and responsibilities of the many Federal players involved,” MITRE CCDP said.
“These points will get legislation closer aligned with current policies and practices in the executive branch,” Dave Powner, executive director of the MITRE CCDP and a former director of information technology management issues at the Government Accountability Office (GAO), told MeriTalk this week.
Powner explained that Federal agencies undertake a lot of FISMA reporting currently, but with reporting requirements stemming from a bill that became law seven years ago – almost an eternity in the cyber realm given the rapid growth in sophisticated threats – the reporting is “a bit outdated, and you don’t really get the right return.”
“We’ve got to make sure that the resources we spend on cyber go to the right things, and that’s why we need the legislation to be aligned with what’s going on in the executive branch,” Powner said.