Industry leaders today urged the House Oversight and Reform Committee to strengthen the Federal Information Security Management Act (FISMA) to keep up with evolving cyber threats and place a greater emphasis on cybersecurity outcomes, rather than compliance.
FISMA requires Federal civilian agencies to comply with cybersecurity standards, but has not been updated since 2014. During a hearing today about draft legislation being prepared by House Oversight leadership to reform the existing FISMA statute, industry leaders encouraged the committee to reduce the compliance burdens of FISMA to better protect networks.
“What we need to do is we need to really elevate the compliance policy that we’re getting behind and drive reciprocity across the other compliance regimes that we have,” said Ross Nodurft, executive director of the Alliance for Digital Innovation and former chief of the Office of Management and Budget’s cybersecurity team.
“The companies that are trying to bring their technology to bear want to be able to come in, prove that they’re doing what they need to do to be secure, and then be able to leverage that one set of proof across all these agencies and across all these compliance regimes,” he said.
“I really think it’s imperative that we take a hard look at what the compliance is for the security parameters that we’ve defined [in FISMA],” he added. “There is an overemphasis on compliance as opposed to doing the hard work to say, ‘Okay, here’s my risk, here [is] the security that meets my risk, and therefore I can bring in more technology faster.’”
FISMA’s compliance burdens also create a “duplication of effort across agencies,” according to Gordon Bitko, senior vice president of policy at the Information Technology Industry Council (ITI) and former FBI chief information officer.
“Today, each agency is individually obliged to develop its own information security programs with little incentive for leveraging shared services, sharing information, or accepting security assessments or best practices from other agencies,” Bitko said. “This can lead to considerable redundancies as agency security officials are frequently unable or simply unwilling to use the good work already done elsewhere in the government.”
In his written testimony, Bitko instead recommended Congress “establish formal processes to promote the reciprocity of security reviews across government,” as well as “information-sharing related to cybersecurity performance across the Federal government.”
By doing so, Bitko noted agencies would be less focused on meeting compliance requirements and find “better risk management, along with improved collaboration and communication.”
Grant Schneider, senior director of cybersecurity services at Venable and former Federal chief information security officer at the Office of Management and Budget, agreed with Bitko and said the “over-focus on compliance and on process” was one of the biggest problems with the current version of FISMA.
“I think a lot of compliance activities are necessary, but not sufficient for cybersecurity,” Schneider said. “They can be helpful, however, I do think and agree with Gordon that if we have a FISMA – as we look at updates – that is more focused on agencies’ risk management programs and their ability to protect wherever possible… [that’s] going to be an approach that will be more successful for Federal security.”