The House Oversight and Reform Committee today approved by voice vote legislation that would update the Federal Information Security Modernization Act (FISMA). The committee’s vote sends the legislation to the full House of Representatives for consideration.
The current FISMA statute – which sets standards for how Federal agencies conduct cybersecurity and assigns leadership roles to the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) as part of that effort – was last updated in 2014.
The bill enjoys broad bipartisan support on the committee and appeared to draw unanimous support during today’s voice vote.
House Oversight Democratic and Republican leaders said today that an update to the FISMA statute is vital to keep up with cybersecurity threats that have become more sophisticated and ubiquitous since 2014.
“It is crucial that we shore up the cyber defenses of the Federal government,” said committee Chairwoman Carolyn Maloney, D-N.Y., at today’s committee meeting.
“But to truly guard against the cyberattacks of tomorrow, we must also recognize that the next sophisticated cyberattack won’t look like the last one,” she said. “To defend our Federal networks in this new frontier of cyber warfare, we must pursue a transformative approach and we must be constantly vigilant in our threat protection, detection, response, and resilience.”
“As the barrage of major cyberattacks of the last few years makes clear, the threat landscape has transformed dramatically since the law was last updated in 2014,” she said. “This legislation ensures we shift to a risk-based approach and make the crucial shift to a zero trust architecture that continuously monitors the security of Federal networks.”
“It has been nearly eight years since Congress last addressed the structure, framework, and evolution of federal cybersecurity in a comprehensive manner,” said Rep. James Comer, R-Tenn., ranking member of the committee, and a sponsor of the FISMA update bill.
“In that time, we have seen criminal organizations, nation-states, and all manner of enemies unleash a nonstop barrage of cyber-attacks against American companies and federal agencies,” he said. “These threats are becoming more sophisticated, and the damage they can inflict puts our national security, economy – even the personal safety of the American people at risk.”
“As these threats evolve, FISMA must evolve too in order to meet the challenge,” Rep. Comer said.
“As technology evolves, so must our approach to securing our nation’s infrastructure,” said
House Government Operations Subcommittee Chairman Gerry Connolly, D-Va., a co-sponsor of the FISMA bill, today.
He said the proposed FISMA update “incorporates modern IT principles by promoting key tenets of President Biden’s [cybersecurity] executive order” including zero trust architecture and vulnerability disclosure programs, and shared services, among other attributes.
Rep. Maloney reiterated today that provisions in the House FISMA legislation track well with the details of a similar legislative effort in the Senate.
The Senate Homeland Security and Governmental Affairs Committee approved its version of FISMA update legislation in October 2021. A subsequent attempt to attach that bill to National Defense Authorization Act was not successful.
Among other items, the House FISMA update bill would:
- Put Federal cybersecurity policy development more firmly in the hands of the Office of Management and Budget for policy development and oversight; give “operational coordination responsibilities” to the Cybersecurity and Infrastructure Security Agency (CISA), and vest “overall cybersecurity strategy responsibilities” to the National Cyber Director;
- Require CISA to “expeditiously seek opportunities to remove barriers to agency cybersecurity efforts through shared services and technical assistance”;
- Codify into the law the position at Federal Chief Information Security Officer (CISO) at OMB;
- Take a risk-based cybersecurity posture “with ongoing and continuous risk assessments that will allow agencies to prioritize cybersecurity risks with accurate, real-time information about the agency’s posture and threats”;
- Promote “cybersecurity modernization and next-generation security principles like a risk-based paradigm, zero trust principles, endpoint detection and response, cloud migration, automation, penetration testing, and vulnerability disclosure programs”;
- Reduce the frequency of the now-annual FISMA assessments for Federal agencies and instead allow agencies to “prioritize cybersecurity risks with accurate, real-time information about the agency’s posture and threats”;
- Require continuous monitoring of systems and ease compliance burdens through the use of automation technologies;
- Require Federal agencies to keep inventories of “all internet-accessible information systems and assets, as well as all available software bills of materials, for improved situational awareness”; and
- Improve sharing of cyber incident information between Federal agencies and oversight entities including Congress.