Lawmakers see an opening this year to reform the Federal Information Security Modernization Act, with major updates including the assignment of clear roles and responsibilities for federal cybersecurity leadership.
The House Oversight and Reform Committee released a “discussion draft” of its FISMA reform bill today. Chairwoman Carolyn Maloney (D-N.Y.) said it holds a lot of similarities with a bill that passed the Senate Homeland Security and Governmental Affairs Committee last fall.
“We have a real opportunity to pass FISMA reform this year, and to protect the intellectual property, sensitive data and networks that are essential to our country’s economy and national security,” Maloney said during a hearing held today to discuss the bill.
The draft would assign the Office of Management and Budget with “federal cybersecurity policy development and oversight responsibilities,” CISA with “operational coordination responsibilities” and the National Cyber Director with “overall cybersecurity strategy responsibilities,” according to a summary of the bill.
FISMA was last updated in 2014. Meanwhile, CISA was elevated to a standalone agency in 2018, while the National Cyber Director’s office was just established last year.
The draft bill would also codify the federal chief information security officer’s role into law. The CISO reports to the OMB’s chief information officer and assists in implementing security policies. The position was also recently dual-hatted as deputy national cyber director.
Grant Schneider, former federal chief information security officer, endorsed the move to codify his old role into law. He also said CISA and the National Cyber Director will play key roles in tandem with OMB and the National Institute of Standards and Technology.
“I view the National Cyber Director as having that overarching voice being a bit of the conductor,” Schneider said. “I view CISA as really being the operational partner with agencies. So CISA should be there to help agencies who are tasked to implement their risk management programs.”
The draft bill seeks to reduce FISMA reporting requirements on agencies, notably by shifting independent assessments for each civilian executive branch agency to once every two years. FISMA assessments are currently conducted annually by agency inspector generals or external auditors.
The bill would have CISA perform risk assessments of agencies “on an ongoing and continuous basis,” using information such as vulnerability remediation efforts, incident analysis, vulnerability disclosure programs, threat hunting results, cyber threat intelligence, and other standards. Agencies would be required to inventory their internet-accessible information systems and assets.
“FISMA reform must provide agencies with the authority to effectively address threats with speed and precision while also freeing time to continuously monitor new and emerging threats as they arise,” Ranking Member James Comer (R-Ky.) said during the hearing.
The shift from compliance to a more continuous, risk-based approach is something cyber leaders have been attempting for at least a decade, including in OMB and CISA’s most recent FISMA guidance.
Jennifer Franks, director of information technology and cybersecurity at the Government Accountability Office, said a key problem is agencies lacking visibility into their own IT environments.
“The fundamental problem across federal agencies is identifying what’s in your inventory of systems,” Franks said. “With zero trust architecture, knowing what you have before you can even protect it is key. With agencies unable to really give a firm inventory of their major information systems and then the data that resides on those systems . . . how will we be reassured that the adequate protections are in place to prevent certain situations from happening?”
Lawmakers said the bill will help drive agencies toward better visibility and the adoption of zero trust architectures. Gordon Bitko, senior vice president of policy for the Information Technology Industry Council, urged lawmakers not to be overly prescriptive as they seek to drive improved cybersecurity outcomes.
“You can have the right balance of centralized control and prescription with flexibility that you need for each agency to deal with its own risks, to understand that its landscape is different, that the threats it faces might be might be varied,” Bitko testified.
Comer noted the committee’s draft adheres to a request from OMB to avoid “overly burdensome reporting requirements.”
The legislation would also require agencies to maintain an inventory of Software Bills of Material as part of their supply chain risk management programs overseen by the Federal Acquisition Security Council. The Biden administration is already moving toward SBOM requirements as part of last year’s cybersecurity executive order.
Officials have also pointed to the widespread Log4J vulnerability as a reason to implement SBOMs, so organizations can more quickly identify vulnerable software in their networks.
Ross Nodurft, executive director of the Alliance for Digital Innovation, argued SBOMs should be used in a “targeted manner” with a risk-based approach.
“You may not need an SBOM for every piece of software everywhere across all the environments if they’re not really risky asset,” Nodurft said. “We don’t want to overburden the industry providers that are building this backbone for the departments and agencies.”
The bill would also have CISA establish two shared services pilot programs. One would provide a “security operations center as a service” for agencies, while the other would provide shared endpoint detection and response tools.
CISA already has several shared offerings through its Cybersecurity Quality Services Management Office.