The House Oversight and Reform Committee will debut draft legislation next week to adopt major reforms to the 2014 Federal Information Security Management Act (FISMA) that sets cybersecurity requirements for Federal civilian agencies.
The draft legislation, the committee said, will aim to “reform FISMA to ensure federal agencies can better prepare for and respond to the cyber threats they face.”
While the draft committee bill is not yet public, sources from both sides of Capitol Hill indicated today that the content of the legislation runs broadly in line with FISMA reform legislation approved by the Senate Homeland Security and Governmental Affairs Committee in October 2021 with broad bipartisan support.
Sponsors of the Senate bill tried unsuccessfully to hitch their FISMA legislation to the Fiscal Year 2022 National Defense Authorization Act (NDAA) that President Biden signed in late December.
The House Oversight and Reform Committee will discuss the draft legislation at a January 11 hearing that will feature testimony from former Federal Chief Information Security Officer Grant Schneider, former NASA CIO Renee Wynn, and Jennifer Franks, Director of Information Technology and Cybersecurity at the Government Accountability Office.
Also testifying at the committee hearing will be Gordon Bitko, formerly CIO at the Federal Bureau of Investigation and now senior VP of policy at the Information Technology Industry Council; and Ross Nodurft, executive director at the Alliance for Digital Innovation and former chief of the cybersecurity team at the Office of Management and Budget (OMB).
“The onslaught of devastating cyberattacks against the federal government, as well as state and local governments and the private sector, is shining a spotlight on the need to improve FISMA, which has not been updated since 2014,” the committee said in announcing the hearing. It cited data from OMB detailing more than 30,000 cyber incidents reported by Federal agencies in FY2020, along with large-scale cyberattacks since then on government and private sector targets including the SolarWinds software supply chain exploit.
“In response to these threats and attacks, the hearing will examine the urgent need to reform FISMA and create a clear, coordinated, whole-of-government approach to federal cybersecurity to meet the challenges of this new and constantly evolving cyber frontier,” the committee said.
Senate Bill Thumbnails
The existing Senate FISMA legislation would, among other provisions:
- Put the Cybersecurity and Infrastructure Security Agency (CISA) more firmly in charge of Federal civilian agency security;
- Wrap the National Cyber Director and the Office of Management and Budget (OMB) more tightly into cybersecurity policy-setting;
- Ensure more timely delivery to key congressional committees of details about major cyberattacks;
- Codify into Federal law some aspects of President Biden’s cybersecurity executive order issued in May 2021; and
- Put into motion penetration testing of Federal civilian networks – a provision that has the endorsement of current Federal CISO Chris DeRusha.
OMB Forges Ahead
At the same time as Congress grapples with changes to the existing FISMA law, OMB has wasted little time in modifying its own orders to Federal agencies on how to put tighter cybersecurity rules into place.
Last month, the agency issued new FISMA guidance to agencies for FY2021-2022 that puts into practice several priorities in the Biden administration’s Cybersecurity Executive Order issued in May 2021, and that also align with key aspects of the existing Senate legislation.
OMB officials said the new guidance is aimed to “help agencies focus less on compliance-based activities, and spend more time measuring information that is closely tied to observable and practical security outcomes.” Federal CISO DeRusha emphasized that the new guidance “is designed to help agencies focus on practical security outcomes by measuring the use of rigorous multilayered security testing, automation of security and compliance controls, and progress in adopting a zero trust architecture.”
The December 2021 guidance features:
- Requirements from the Cyber EO regarding multifactor authentication and encryption;
- Laying a foundation for collecting information that will support OMB’s zero trust strategy that the agency released in September;
- A review of the Continuous Diagnostics and Mitigation (CDM) Program and work to make it more effective in FY 2022;
- Requirements for Federal agencies to invest in more “sophisticated and multilayered application testing requirements”;
- More Federal agency use of security automation technologies to improve efficiency and transparency; and
- Implementation guidance for CISA’s cyber Incident Response Playbook.