Senate legislation unveiled July 12 to update the nine-year-old Federal Information Security Modernization Act (FISMA) is on its way to fast-track consideration by the Senate as part of the Fiscal Year 2024 National Authorization Act (NDAA) that the Senate is set to begin debating today.
Senate Majority Leader Chuck Schumer, D-N.Y., has submitted the FISMA bill as a standalone amendment to the NDAA bill. The FISMA legislation is set to be marked up by the Senate Homeland Security and Governmental Affairs Committee (HSGAC) on July 19.
Sen. Schumer also offered several other tech and cyber-related offered bills as standalone amendments to the NDAA, including the Satellite Cybersecurity Act, the Securing Open Source Software Act, the Cybersecurity Awareness Act, and the DHS International Cyber Partner Act. Each of those bills was approved earlier this year by the Senate HSGAC.
FISMA Update Details
The FISMA modernization bill filed in the House and Senate last week would carry forward numerous aspects of FISMA reform legislation approved by both chambers in 2022, but which ultimately failed to reach the finish line.
The current bill would, among many other provisions, codify into Federal law the position of Federal Chief Information Security Officer (CISO) at the Office of Management and Budget (OMB), and require the appointment of dedicated chief privacy officers at Federal agencies.
The Federal Information Security Modernization Act of 2023 was introduced in the Senate by HSGAC Chairman Gary Peters, D-Mich., and Sen. Josh Hawley, R-Mo. The House version of the bill is being offered by Rep. James Comer, R-Ky., chairman of the House Oversight and Reform Committee, Rep. Nancy Mace, R-S.C., chairwoman of the Cybersecurity, Information Technology, and Government Innovation subcommittee, Rep. Gerry Connolly, D-Va., ranking member of the subcommittee, and Rep. Jamie Raskin, D-Md., ranking member on House Oversight.
The bill, its sponsors said, would:
- Support more effective cybersecurity practices throughout the Federal government;
- Improve coordination between OMB, the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the National Cyber Director, and Federal agencies and contractors in addressing online threats;
- Require Federal civilian agencies to report all cyberattacks to CISA, and major cyber incidents to Congress;
- Provide CISA with additional authorities to respond to breached incidents on Federal civilian networks;
- Codify portions of President Biden’s 2021 cybersecurity executive order to enforce higher level security protections for Federal information systems; and
- Require OMB to develop guidance for Federal agencies “so they can efficiently allocate the cybersecurity resources they need to protect their networks.”
“From the OPM data breach in 2015 to the SolarWinds cyberattack in 2020, it’s clear that the federal government has more work to do to ensure the security of federal networks and the safety of sensitive federal data,” said Rep. Connolly in a statement. “This legislation will bring us a giant step closer to realizing that goal, including by codifying the role of the Federal Chief Information Security Officer at OMB,” he said.
“Criminals and nation states have upped their game to hack into our government’s computers and steal our personal data,” said Rep. Mace. “It’s time the federal government loses the checkerboard and starts playing chess.”
“The Federal Information Security Modernization Act of 2023 provides the federal government with the tools and guidance it needs to thwart such attacks,” she said. “The bill promotes security principles and programs such as vulnerability disclosure programs, penetration testing, zero trust architectures, and the use of AI in automation.”
Rep. Comer said the latest bill “reflects years of diligent work between the House Oversight Committee and Senate Homeland Security and Governmental Affairs Committee to ensure the authorities and reporting responsibilities of our nation’s cybersecurity leadership is strengthened. Under this bill’s reforms, the federal government’s cyber defenses will be modernized as technology evolves and threats become more sophisticated, persistent, and malicious.”
“The bipartisan introduction of FISMA 2023 builds on years of important work by Committee Democrats to strengthen our federal networks against attacks by China, Russia, and other nefarious actors bent on destroying American democracy and prosperity,” said Rep. Raskin. “Among many notable advances of this bill, I’m especially proud that it will also ensure robust protections of our civil rights and civil liberties by requiring dedicated Chief Privacy Officers at federal agencies.”