FISMA Reform Bill Unveiled in HouseReal-Time IT Monitoring Would Replace Paper Compliance
If the Federal Information Security Amendment Act, or H.R. 4900, introduced by Rep. Diane Watson would become law as drafted, federal agencies no longer would be required to annually file documents showing how they comply with Federal Information Security Management Act directives. Instead, the bill calls for the continuous monitoring of federal IT systems against attacks and other nefarious activities.
At a hearing Wednesday of the House Committee on Oversight and Government Reform's Subcommittee on Government Management, Organization and Procurement, chaired by Watson, Federal CIO Vivek Kundra characterized current FISMA compliance as a culture of compliance. "For too long," he said, "federal agencies have focused on reporting on security rather than gaining meaningful insight into their security postures."
The House bill is similar to a FISMA reform measure in the Senate, the United States Information and Communications Enhancement Act, or U.S. ICE, sponsored by Sen. Tom Carper, D.-Del., which also would replace so-called FISMA paper compliance with real-time monitoring of government IT systems. The major difference of the two bills is that the House version places cybersecurity authority in the White House whereas the Senate measure grants much cybersecurity governance clout in the Department of Homeland Security.
The measure by Watson, D.-Calif., would:
- Establish a National Office for Cyberspace within the Executive Office of the President to coordinate and oversee the IT security of agency information systems and infrastructure, headed by a presidentially nominated director who would be confirmed by the Senate.
- Establish a Federal Cybersecurity Practice Board within the National Office of Cyberspace - chaired by the director - charged with developing the processes agency would follow to defend their IT systems. Board members would come from the Office of Management and Budget, Department of Defense and select members from civilian and law enforcement agencies. The policies the board would develop include minimum security controls, measures of effectiveness for determining cyber risk and remedies for security deficiencies.
- Establish requirements for agencies to undertake automated and continuous system monitoring to identify system compliance, deficiencies and potential risks. These activities would move agencies away from manually intensive periodic assessments that fail to incorporate emerging tends or information about an agendy's current security posture.
- Require agencies to conduct regular evaluations of their systems, including so-called red-team penetration tests.
- Require agencies and contractors managing government systems to obtain an annual, independent audit of their IT programs to determine their overall effectiveness and compliance with FISMA requirements.
- Authorize the National Office of Cyberspace director to approve policies for the operation of a central federal information security incident center.
- Establish requirements for the purchase of secure commercial, off-the-shelf IT products and services as well as policies for mitigating supply chain risks associated with those products.
The Federal Information Security Amendment Act joins about a dozen or so cybersecurity bills in various stages in Congress, including the Cybersecurity Enhancement Act passed by the House late last year and the Cybersecurity Act of 2010, which Wednesday was approved by the Senate Committee on Commerce, Science and Transportation.
Few lawmakers or congressional observers assuredly predict enactment of any significant cybersecurity in the current Congress, but see current legislative actions as setting the foundation for passage of comprehensive information security legislation in the 112th Congress that convenes next January.