Bipartisan leaders of the House Oversight and Reform Committee today introduced their version of legislation that would update the Federal Information Security Modernization Act (FISMA), which sets cybersecurity requirements for Federal civilian agencies.
The House bill, and a similar legislative measure in the Senate, would update the current version of the FISMA law that was put on the books in 2014, and as such does not fully take into account advances in technology, and more sophisticated methods put in place by cyber adversaries, since then. The committee debated the merits of the legislation at a hearing earlier this month.
Core aspects of both the House and Senate bills have been developed with input from the Biden administration, and include several major aspects of the administration’s cybersecurity executive order published in May 2021.
Among other items, the House bill would:
- Put Federal cybersecurity policy development more firmly in the hands of the Office of Management and Budget for policy development and oversight; give “operational coordination responsibilities” to the Cybersecurity and Infrastructure Security Agency (CISA), and vest “overall cybersecurity strategy responsibilities” to the National Cyber Director;
- Require CISA to “expeditiously seek opportunities to remove barriers to agency cybersecurity efforts through shared services and technical assistance”;
- Codify into the law the position at Federal Chief Information Security Officer (CISO) at OMB;
- Take a risk-based cybersecurity posture “with ongoing and continuous risk assessments that will allow agencies to prioritize cybersecurity risks with accurate, real-time information about the agency’s posture and threats”;
- Promote “cybersecurity modernization and next-generation security principles like a risk-based paradigm, zero trust principles, endpoint detection and response, cloud migration, automation, penetration testing, and vulnerability disclosure programs”;
- Reduce the frequency of the now-annual FISMA assessments for Federal agencies and instead allow agencies to “prioritize cybersecurity risks with accurate, real-time information about the agency’s posture and threats”;
- Require continuous monitoring of systems and ease compliance burdens through the use of automation technologies;
- Require Federal agencies to keep inventories of “all internet-accessible information systems and assets, as well as all available software bills of materials, for improved situational awareness”; and
- Improve sharing of cyber incident information between Federal agencies and oversight entities including Congress.
Broad Bipartisan Support
The House measure introduced today enjoys broad partisan support among House Oversight members. Sponsoring the bill are committee Chairwoman Carolyn Maloney, D-N.Y., and ranking member James Comer, R-Tenn.
Co-sponsors include Reps. Gerry Connolly, D-Va., who chairs the House Government Operations Subcommittee, and Reps. Jody Hice, R-Ga., Eleanor Holmes Norton, D-D.C., Stephen Lynch, D-Mass., Jim Cooper, D-Tenn., Jamie Raskin, D-Md., Bob Gibbs, R-Ohio, Pete Sessions, R-Texas, Fred Keller, R-Pa., Shontel Brown, D-Ohio, Scott Franklin R-Fla., and Debbie Wasserman Schultz, D-Fla.
“Ensuring the federal government’s cyber resilience is a bipartisan a priority,” Rep. Maloney said today, adding that the bill aims to “ensure that federal agencies can keep pace with the challenges of the constantly evolving cyber frontier.”
“Nation-state adversaries like Russia and China, as well as other threat actors, present a constant danger,” she said. “The Federal Information Security Modernization Act of 2022 elevates our federal cyber defenses to the next level, taking a cutting-edge and strategic approach to ensure federal IT systems can better prepare for and respond to today’s cyber challenges.”
“The federal government maintains extensive public records containing sensitive information on all Americans and businesses,” Rep. Comer said. “Recent cyberattacks make it clear we need a modern update to the federal government’s cybersecurity practices to better protect against, quickly fix, and deter future damaging digital intrusions that can harm our economy and impact Americans’ daily lives.”