FISMA Reform Bill Clears House PanelMeasure Would Require Real-Time Monitoring of IT Systems
The measure, the Federal Information Security Amendment Act, or H.R. 4900, goes to the full committee.
The bill would require that the president's top cybersecurity adviser and the federal chief technology officer be confirmed by the Senate. The measure also would establish a panel of government IT security specialists to direct agencies on the steps they must take to secure federal digital assets.
The subcommittee accepted an amendment offered by Rep. Gerald Connolly, D.-Va., to require the CTO be confirmed by the Senate. Last year, under existing authority, President Obama named Aneesh Chopra to the newly created job of federal chief technology officer, a post that didn't require Senate confirmation. Chopra serves as a presidential adviser, but reports to John Holdren, director of the White House Office of Science and Technology Policy.
"To ensure that the chief technology officer can continue to improve federal use of technology in the future, we need to make this a statutory position," Connolly (pictured above) said in a statement. "My amendment does that, and gives the chief technology officer the authority he needs by enabling him to report directly to the president."
Using similar authority, Obama tapped Howard Schmidt last December to be White House cybersecurity coordinator, a post that did not require Senate confirmation. In seeking to codify these positions, and by requiring Senate confirmation, Congress would provide some oversight over their performance.
The bill, sponsored by committee chair Diane Watson, D.-Calif., primarily is aimed at updating the 8-year-old Federal Information Security Management Act, the primary law regulating federal information security.
The measure would:
- Create a National Office for Cyberspace within the Executive Office of the President to coordinate and oversee the IT security of agency information systems and infrastructure, headed by a presidentially nominated director who would be confirmed by the Senate.
- Institute a Federal Cybersecurity Practice Board within the National Office of Cyberspace - chaired by the director - charged with developing the processes agency would follow to defend their IT systems. Board members would come from the Office of Management and Budget, Department of Defense and select members from civilian and law enforcement agencies. The policies the board would develop include minimum security controls, measures of effectiveness for determining cyber risk and remedies for security deficiencies.
- Establish requirements for agencies to undertake automated and continuous system monitoring to identify system compliance, deficiencies and potential risks. These activities would move agencies away from manually intensive periodic assessments that fail to incorporate emerging tends or information about an agency's current security posture.
- Require agencies to conduct regular evaluations of their systems, including so-called red-team penetration tests.
- Oblige agencies and contractors managing government systems to obtain an annual, independent audit of their IT programs to determine their overall effectiveness and compliance with FISMA requirements.
- Authorize the National Office of Cyberspace director to approve policies for the operation of a central federal information security incident center.
- Establish requirements for the purchase of secure commercial, off-the-shelf IT products and services as well as policies for mitigating supply chain risks associated with those products.
The House bill is similar to a FISMA reform measure in the Senate, the United States Information and Communications Enhancement Act, or U.S. ICE, sponsored by Sen. Tom Carper, D.-Del., which also would replace so-called FISMA paper compliance with real-time monitoring of government IT systems. The major difference of the two bills is that the House version places cybersecurity authority in the White House whereas the Senate measure - as redrafted last summer - would grant much cybersecurity governance clout in the Department of Homeland Security. Several other cybersecurity bills are at various stages in Congress.