Standards, Regulations & Compliance

FISMA Reform Bill Unveiled in House

Real-Time IT Monitoring Would Replace Paper Compliance
FISMA Reform Bill Unveiled in House
FISMA reform legislation introduced this week in the House of Representatives would have a Senate-confirmed White House cybersecurity director and a panel of government IT security specialists direct agencies on the steps they must take to secure federal digital assets.

If the Federal Information Security Amendment Act, or H.R. 4900, introduced by Rep. Diane Watson would become law as drafted, federal agencies no longer would be required to annually file documents showing how they comply with Federal Information Security Management Act directives. Instead, the bill calls for the continuous monitoring of federal IT systems against attacks and other nefarious activities.

At a hearing Wednesday of the House Committee on Oversight and Government Reform's Subcommittee on Government Management, Organization and Procurement, chaired by Watson, Federal CIO Vivek Kundra characterized current FISMA compliance as a culture of compliance. "For too long," he said, "federal agencies have focused on reporting on security rather than gaining meaningful insight into their security postures."

The House bill is similar to a FISMA reform measure in the Senate, the United States Information and Communications Enhancement Act, or U.S. ICE, sponsored by Sen. Tom Carper, D.-Del., which also would replace so-called FISMA paper compliance with real-time monitoring of government IT systems. The major difference of the two bills is that the House version places cybersecurity authority in the White House whereas the Senate measure grants much cybersecurity governance clout in the Department of Homeland Security.

The measure by Watson, D.-Calif., would:

  • Establish a National Office for Cyberspace within the Executive Office of the President to coordinate and oversee the IT security of agency information systems and infrastructure, headed by a presidentially nominated director who would be confirmed by the Senate.

  • Establish a Federal Cybersecurity Practice Board within the National Office of Cyberspace - chaired by the director - charged with developing the processes agency would follow to defend their IT systems. Board members would come from the Office of Management and Budget, Department of Defense and select members from civilian and law enforcement agencies. The policies the board would develop include minimum security controls, measures of effectiveness for determining cyber risk and remedies for security deficiencies.

  • Establish requirements for agencies to undertake automated and continuous system monitoring to identify system compliance, deficiencies and potential risks. These activities would move agencies away from manually intensive periodic assessments that fail to incorporate emerging tends or information about an agendy's current security posture.

  • Require agencies to conduct regular evaluations of their systems, including so-called red-team penetration tests.

  • Require agencies and contractors managing government systems to obtain an annual, independent audit of their IT programs to determine their overall effectiveness and compliance with FISMA requirements.

  • Authorize the National Office of Cyberspace director to approve policies for the operation of a central federal information security incident center.

  • Establish requirements for the purchase of secure commercial, off-the-shelf IT products and services as well as policies for mitigating supply chain risks associated with those products.

The Federal Information Security Amendment Act joins about a dozen or so cybersecurity bills in various stages in Congress, including the Cybersecurity Enhancement Act passed by the House late last year and the Cybersecurity Act of 2010, which Wednesday was approved by the Senate Committee on Commerce, Science and Transportation.

Few lawmakers or congressional observers assuredly predict enactment of any significant cybersecurity in the current Congress, but see current legislative actions as setting the foundation for passage of comprehensive information security legislation in the 112th Congress that convenes next January.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.