FISMA Reform Passes House on 416-0 VoteFirst Major Update to Federal IT Security Governance in 11 Years
The House of Representatives unanimously approved a bill making the first significant reforms in 11 years to the way the federal government governs information security.
See Also: Proactive Malware Hunting
By a vote of 416 to 0, the House passed on April 16 the Federal Information Security Amendments Act of 2013, which updates the Federal Information Security Management Act of 2002. The House also overwhelmingly approved the Cybersecurity Enhancement Act, which would advance cybersecurity research and development and expand and train a cybersecurity workforce. Both measures go to the Senate for its consideration.
The Federal Information Security Amendments Act, H.R. 1163, would require federal agencies to continuously monitor their IT systems for cyberthreats and implement regular threat assessments.
"This bipartisan legislation will address the shortcomings of FISMA by incorporating recent technological innovations, and enhance and strengthen the current framework that protects federal information technology systems," said the bill's chief sponsor, Rep. Darrell Issa, the California Republican who chairs the House Oversight and Government Reform Committee.
Under the bill, each department secretary and agency director would be held accountable for their organization's IT security. Although most federal agencies have chief information security officers to coordinate IT security activities, the new FISMA legislation would require them to have CISOs to develop, implement and oversee agencywide IT security programs. The bill would require each CISO to have the "necessary qualifications" that include education, training, experience and security clearance.
Fixing FISMA's Faults
The bill addresses a perceived shortcoming of FISMA, which promoted a checkbox mindset in the federal government, where grading agencies on the security items they can check off a list to impress auditors seemed more important than monitoring systems continuously to determine if they're secure.
If approved by the Senate and signed by President Obama, the bill would ensure that federal agencies employ a risk-based approach to defend against cyberattacks. Among the requirements of the bill would be penetration testing in which so-called white-hat hackers break into government IT systems to identify vulnerabilities.
Absent from the Federal Information Security Amendments Act are provisions that would grant the Department of Homeland Security increased authority to oversee federal civilian agencies in the implementation of information security. The Obama administration, backed mostly by Senate Democrats, has ceded some of the Office of Management and Budget oversight of government IT security to DHS, and the Cybersecurity Act of 2012 would have codified that. Distrust exists among some lawmakers about giving that kind of authority to DHS, and contention last year over Homeland Security's role in governing IT among civilian agencies is one (but not the only) reason the Cybersecurity Act never came up for a vote.
The Republican-led House has taken a different approach to cybersecurity legislation than the Democratic-led Senate. The House has tackled cybersecurity with individual bills that have received, for the most part, bipartisan support. The Senate has combined a series of bills into comprehensive legislation, which has yet to produce a measure that could muster the 60 votes necessary to defeat a filibuster. It's unclear whether the Senate will take a less comprehensive approach in the current Congress.
Cybersecurity Enhancement Act Approved
Under the Cybersecurity Enhancement Act, approved 402-16, the National Science Foundation, National Institute of Standards and Technology and other key federal agencies would develop and implement a strategic plan for federal cybersecurity research and development. NIST would be required to have a specific focus on the security of the industrial control systems that run critical infrastructure, such as the power grid, and identity management systems that protect private information.
To grow the nation's cyber-workforce, the legislation would require the president to issue a report assessing the current and future cybersecurity workforce needs of the federal government, authorize a scholarship-for-service program to ensure a highly qualified cybersecurity workforce in the federal government and reauthorize key National Science Foundation workforce programs, including graduate student fellowships and graduate student traineeships in cybersecurity.