Cybersecurity Experts Push for Sweeping FISMA ChangesHouse Committee Leaders Also Issue Their Version of FISMA Modernization Act
As the U.S. Congress continues to push for strengthening of the Federal Information Security Management Act, or FISMA, lawmakers hosted a hearing with former top government cybersecurity officials on Tuesday. The witnesses expressed a need to update the law, last modified in 2014, and focus more on outcomes than on processes and compliance.
Efforts to update FISMA, which sets cybersecurity requirements for federal civilian agencies, follow a failure to get modernization language in the 2022 annual defense spending bill. A stand-alone provision, first crafted in the Senate by Homeland Security and Governmental Affairs Committee Chairman Gary Peters, D-Mich., and the committee's ranking member, Sen. Rob Portman, R-Ohio, passed the committee and moved to full Senate consideration in October 2021. On Tuesday, the chair of the House Committee on Oversight and Reform, Rep. Carolyn B. Maloney, D-N.Y., and the committee's ranking member, Rep. James Comer, R-Ky., issued a draft for its companion bill, the FISMA Modernization Act of 2022.
According to a draft of the bill viewed by Information Security Media Group, the House proposal would:
- Clarify federal cybersecurity roles: This includes policy development and oversight to the Office of Management and Budget, operational coordination to CISA, and overall strategy to the National Cyber Director. It also codifies the role of OMB's federal CISO, who would be a presidential appointment, have budgetary review authority, and become deputy national cyber director. Current Federal CISO Chris DeRusha was already appointed to the latter by NCD Chris Inglis in October.
- Advance a risk-based cybersecurity posture: This would promote Zero Trust principles, endpoint detection and response, cloud migration, automation, penetration testing, vulnerability disclosure programs and continuous risk assessments.
- Modernize and streamline reporting requirements: This would reduce the frequency of FISMA assessments and update agency reporting requirements to Congress on "major" incidents from seven days to 72 hours.
- Expand inventories and information sharing: This would require agencies to keep inventories of IT systems and assets as well as all available software bills of materials.
- Promote shared services and agency support: This would require CISA to remove any barriers to shared services and technical assistance.
Maloney and Comer say in a document accompanying their bill: "The onslaught of devastating cyberattacks like SolarWinds and the Microsoft Exchange Server hack, as well as vulnerabilities discovered in common Apache Log4j software, highlight the need to modernize FISMA with a clear, coordinated, whole-of-government approach to federal cybersecurity."
'Solid Security Footing'
During the hearing, entitled "Cybersecurity for the New Frontier: Reforming the Federal Information Security Management Act", Maloney said that the existing FISMA is "simply not enough to protect us in its current form. Threats have transformed dramatically since FISMA was updated in 2014, and in ways that were unimaginable since the law was first written 20 years ago."
"It's no longer enough to guard our networks at their perimeters, as was the focus in the past," Maloney said. "Today, we must also guard within the perimeter, continuously monitoring for the smallest trace of abnormal activity. Modernization cannot wait because our adversaries certainly won't. And we're woefully behind."
In his remarks, Comer said: "A modern update [to FISMA] will ensure federal agencies, in coordination with the private sector and government contractors, can better protect, disrupt and deter damaging digital intrusions."
"Burdensome red tape requirements" and "outdated compliance checklists" cannot remain hurdles when responding to incidents, he said.
"I'm confident that cybersecurity modernization is largely achievable through carefully balanced FISMA reform" and that "our collective efforts will place the federal government on a solid security footing for years to come."
The committee also heard testimony from Grant Schneider, former federal CISO; Gordon Bitko, former CIO for the FBI; Renee Wynn, former CIO for NASA; Jennifer R. Franks, a cybersecurity leader at the Government Accountability Office; and Ross Nodurft, the former chief of the Office of Management and Budget's cybersecurity team.
Witnesses Discuss FISMA
Experts testifying before the full committee on Tuesday echoed a number of the aforementioned concerns.
Grant Schneider, senior director of cybersecurity services at the law firm Venable and the former federal CISO, said: "FISMA must evolve just as the threats and the nature of our IT environments continue to evolve."
Schneider, who is an active contributor to ISMG, advised lawmakers to consider the following in enacting FISMA reform:
- Clarify at a high level federal roles and responsibilities - in line with the creation of CISA and the Office of the National Cyber Director, and have the president clarify them in detail;
- Codify the role of the federal CISO, largely as outlined by the House proposal;
- Require agencies to have greater situational awareness - including inventories of hardware and software supply chain assessments;
- Maintain the definition of a "major incident" to ensure proper information is shared with Congress;
- Require greater alignment with core cybersecurity guidance from the National Institute of Standards and Technology.
Other witnesses also expressed concern over the existing law's focus on process. Gordon Bitko, senior vice president of policy, public sector, for the Information Technology Industry Council and the former CIO for the FBI, said, "[FISMA] doesn't look at the real-time effectiveness of [its] processes, and therefore doesn't promote real risk management."
Bitko said FISMA currently creates "duplication of effort across agencies" with "little incentive for leveraging shared services," leading to "considerable redundancies." He said its excessive focus on manual processes and annual updates makes it "nearly impossible to obtain a clear, timely view of the state of information security across the whole of the federal enterprise."
'Pivot Cyber Spend'
Ross Nodurft, executive director of the Alliance for Digital Innovation and former chief of OMB's cybersecurity team, testified that even more can be done to strengthen the federal government's cybersecurity strategy.
Nodurft advised lawmakers to update other key laws dealing with government IT, policy, acquisition and governance.
He also advised Congress to encourage agencies to "budget for technology and services that can effectively buy down the risk of their environments" and "pivot their cybersecurity spend to move toward tools and services that enable Zero Trust."
Renee Wynn, a security consultant and former CIO at NASA, said that a risk-based approach accounting for all types of technology would be required, including monitoring IT and OT systems, and the fastest growing area - the internet of things.
She also said, "Congress must continue to hold the heads of departments and agencies accountable for addressing cybersecurity risks."