Senate Passes FISMA Reform on Voice VoteMeasure's Fate Remains Uncertain in House of Representatives
The Senate has approved a bill to update the Federal Information Security Management Act, the 12-year-old law that governs federal government information security.
With no debate and by a voice vote in a nearly empty chamber, the Senate on Monday evening, Dec. 8, passed the measure, known as the Federal Information Security Modernization Act. The bill goes to the House of Representatives, where its fate is uncertain.
The Senate vote is a victory for Sen. Tom Carper, the Delaware Democrat who has championed FISMA reform for the past half-dozen years, first as a subcommittee chairman and for the past two years as chair of the Senate Homeland Security and Governmental Affairs Committee, a post he'll relinquish in January, when Republicans take control of the Senate. "I'm encouraged, but it's not a done deal," Carper said in a telephone interview late Monday night.
Carper explained that the House has a dispute over which of its committees - Homeland Security or Oversight and Governmental Reform - will have jurisdiction over the Senate-approved measure. That dispute will need to be resolved by the House leadership if FISMA reform is to become law this year.
The House passed its version of FISMA reform in 2013 (see FISMA Reform Passes House on 416-0 Vote), but unlike the Senate measure, the lower chamber's bill did not designate a special role to DHS to assist other civilian federal agencies in implementing cybersecurity processes such as continuous monitoring.
By law, the White House Office of Management and Budget oversees federal agencies' IT security. But, in recent years, OMB has ceded some of its responsibilities to DHS because, in part, OMB has neither the manpower nor resources that DHS can furnish at a time when cybersecurity has become more critical in government operations. The Senate-passed bill would codify those actions. "The bill clarifies the division of labor between OMB and the Department of Homeland Security," Carper said of the legislation he sponsored.
Both bills would replace the FISMA requirement that agencies must file annual checklists that show the steps they've taken to secure their IT systems. Under FISMA reform, agencies instead would automatically continuously monitor their systems to assure their security. Carper said the legislation would allow "taxpayer dollars to be better spent on improving network security by reducing unnecessary and burdensome paper-based reporting."
Citing the recent cyber-attacks on the Postal Service, Office of Personnel Management, State Department and White House, Carper said the bill would help address the challenges to secure government systems. "This bill will modernize our outdated federal network security laws, provide the tools and authorities needed to improve security at our federal agencies and increase transparency and accountability for data breaches at federal agencies."