The Democratic and Republican leaders of the Senate Homeland Security and Governmental Affairs Committee have unveiled their long-awaited legislation to update the 2014 Federal Information Security Modernization Act that provides cybersecurity marching orders to Federal civilian agencies.

Among some of its higher-level aims, the 132-page bill offered by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, would amend the existing FISMA law to:

Put the Cybersecurity and Infrastructure Security Agency (CISA) more firmly in the driver’s seat for Federal civilian agency security;

Wrap the National Cyber Director and the Office of Management and Budget (OMB) more tightly into cybersecurity policy-setting;

Ensure more timely delivery to key congressional committees of details about major cyberattacks;

Codify into Federal law some aspects of President Biden’s cybersecurity executive order issued in May; and

Put into motion penetration testing of Federal civilian networks – a provision that won the endorsement of Federal CISO Chris DeRusha in several of his recent cybersecurity policy speeches.

The bill is set to be marked up by the committee on October 6. It is unclear whether the Senate FISMA overhaul bill has any House companion legislation.

SolarWinds Impact

While congressional desires to update FISMA are not new – it’s easy to see how a cybersecurity law written eight years ago needs to keep up with the pace of technology development – the string of high-profile hacks that began to come to light late in 2020 with the SolarWinds Orion supply chain exploit has clearly been a catalyst for the new legislation.

The two senators said at a hearing in May that they were looking into changing FISMA for a variety of reasons – including what they regarded as the lack of timeliness and degree of detail that they said Congress received from Federal agencies with notifications about the SolarWinds hack.

FISMA, Sen. Peters said at the May hearing, “clearly need some adjustment” in order to reflect the intent of Congress on attack notifications, and “so there is no ambiguity” about the need to declare that a cyberattack constitutes a “major incident” as defined under the law. He also said the Federal government needs to be able to mount more coordinated responses against attacks.

Sen. Peters said that cyber adversaries view the Federal government as a “single target” rather than a collection of agencies and that CISA and OMB need to take a “governmentwide approach” to cyber threats.

Sen. Portman questioned at the May hearing why the Department of Health and Human Services (HHS) did not declare the SolarWinds hack a “major incident” as defined by FISMA, and said more timely notification to Congress would help lawmakers take action to respond to attacks.

The Ohio senator also said that Congress needed to look at Federal “cybersecurity strategy and leadership” in order to arrive at a “single point of accountability” within the government for cybersecurity.

Broad Aims of the Bill

In announcing the legislation, the senators characterized those two points – better notification to Congress of major attacks, and better defining CISA’s roles in Federal civilian information security – as two of the bill’s main goals.

“Increasingly sophisticated cyberattacks against our federal agencies by foreign adversaries – and criminal organizations they often harbor – highlight the urgent need to enhance federal cybersecurity,” Sen. Peters said. “Since Congress last addressed this critical issue, online threats have rapidly evolved and CISA had not yet been created.”

“This bipartisan bill will help secure our federal networks, update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security,” he said.

Sen. Portman cited a report the committee issued in August that took seven Federal agencies to task for failing – as of 2020 – to comply with the “baseline security requirements” of FISMA. That report and a previous one reaching similar conclusions about Federal agency security “show that federal agencies are unprepared to meet the sophisticated, determined threat we face and have failed to address many vulnerabilities for nearly a decade putting the sensitive data of all Americans at risk,” the senator said.

“This bipartisan bill provides the security the American people deserve and the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised,” Sen. Portman said.

Legislation Details

According to the committee and a non-exhaustive reading of the legislation’s language, the FISMA reform bill aims to: