Senators Debut Sprawling Bill to Overhaul FISMA, Boost CISA Authority

The Democratic and Republican leaders of the Senate Homeland Security and Governmental Affairs Committee have unveiled their long-awaited legislation to update the 2014 Federal Information Security Modernization Act that provides cybersecurity marching orders to Federal civilian agencies.

Among some of its higher-level aims, the 132-page bill offered by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, would amend the existing FISMA law to:

• Put the Cybersecurity and Infrastructure Security Agency (CISA) more firmly in the driver’s seat for Federal civilian agency security;
• Wrap the National Cyber Director and the Office of Management and Budget (OMB) more tightly into cybersecurity policy-setting;
• Ensure more timely delivery to key congressional committees of details about major cyberattacks;
• Codify into Federal law some aspects of President Biden’s cybersecurity executive order issued in May; and
• Put into motion penetration testing of Federal civilian networks – a provision that won the endorsement of Federal CISO Chris DeRusha in several of his recent cybersecurity policy speeches.

The bill is set to be marked up by the committee on October 6.  It is unclear whether the Senate FISMA overhaul bill has any House companion legislation.

SolarWinds Impact

While congressional desires to update FISMA are not new – it’s easy to see how a cybersecurity law written eight years ago needs to keep up with the pace of technology development – the string of high-profile hacks that began to come to light late in 2020 with the SolarWinds Orion supply chain exploit has clearly been a catalyst for the new legislation.

The two senators said at a hearing in May that they were looking into changing FISMA for a variety of reasons – including what they regarded as the lack of timeliness and degree of detail that they said Congress received from Federal agencies with notifications about the SolarWinds hack.

FISMA, Sen. Peters said at the May hearing, “clearly need some adjustment” in order to reflect the intent of Congress on attack notifications, and “so there is no ambiguity” about the need to declare that a cyberattack constitutes a “major incident” as defined under the law.   He also said the Federal government needs to be able to mount more coordinated responses against attacks.

Sen. Peters said that cyber adversaries view the Federal government as a “single target” rather than a collection of agencies and that CISA and OMB need to take a “governmentwide approach” to cyber threats.

Sen. Portman questioned at the May hearing why the Department of Health and Human Services (HHS) did not declare the SolarWinds hack a “major incident” as defined by FISMA, and said more timely notification to Congress would help lawmakers take action to respond to attacks.

The Ohio senator also said that Congress needed to look at Federal “cybersecurity strategy and leadership” in order to arrive at a “single point of accountability” within the government for cybersecurity.

Broad Aims of the Bill

In announcing the legislation, the senators characterized those two points – better notification to Congress of major attacks, and better defining CISA’s roles in Federal civilian information security – as two of the bill’s main goals.

“Increasingly sophisticated cyberattacks against our federal agencies by foreign adversaries – and criminal organizations they often harbor – highlight the urgent need to enhance federal cybersecurity,” Sen. Peters said.  “Since Congress last addressed this critical issue, online threats have rapidly evolved and CISA had not yet been created.”

“This bipartisan bill will help secure our federal networks, update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security,” he said.

Sen. Portman cited a report the committee issued in August that took seven Federal agencies to task for failing – as of 2020 – to comply with the “baseline security requirements” of FISMA. That report and a previous one reaching similar conclusions about Federal agency security “show that federal agencies are unprepared to meet the sophisticated, determined threat we face and have failed to address many vulnerabilities for nearly a decade putting the sensitive data of all Americans at risk,” the senator said.

“This bipartisan bill provides the security the American people deserve and the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised,” Sen. Portman said.

Legislation Details

According to the committee and a non-exhaustive reading of the legislation’s language, the FISMA reform bill aims to:

• Improve coordination between OMB, CISA, the National Cyber Director, and Federal agencies on cybersecurity;
• Provide more authority to CISA as “the lead entity for operational cybersecurity coordination” and responding to incidents and breaches on federal civilian networks;
• Establish OMB as the “leader for policy development and oversight of Federal cybersecurity”;
• Characterize the National Cyber Director as “responsible for developing the overall cybersecurity strategy of the United States”;
• Require OMB to develop guidance for Federal agencies to use so they can “efficiently allocate the cybersecurity resources they need to protect their networks”;
• Establish penetration testing of Federal networks to test cyber defenses and identify vulnerabilities;
• Require regular reports from Federal agencies to OMB and CISA on agency system risk and additional cybersecurity procedures that are required;
• Require OMB and CISA to develop guidance on evaluating cybersecurity practices including common threats seen by Federal agencies, security controls that address threat patterns, and cybersecurity risks that may be unique to each agency;
• Require agencies to provide breach notification to individuals within 7 to 30 days if their information has been exposed, subject to national security-related limits;
• Require agencies to report major security incidents to Congress within 5 days, and to provide a threat briefing to relevant congressional committees within 7 days;
• Require Federal agency contractors to report incidents and breaches to the agencies they contract with;
• Require OMB, CISA, and the National Cyber Director to define a “major” cyber incident;
• Require OMB to evaluate mobile application security and issue guidance to secure mobile devices for every agency;
• Require OMB and CISA to update standardized metrics to evaluate trends in agency cybersecurity performance including incident detection and remediation;
• Require CISA to develop recommendations on requirements for data and logging retentions for Federal agencies.
• Require the CISA director to assign at least one CISA-employed “cybersecurity professional” to each Federal agency in order to help asset threats and perform risk assessments.
• Require CISA within 18 months to establish “ongoing, hypothesis-driven threat-hunting services” on agency networks.
• Require CISA to advance the adoption of zero trust security principles by providing within six months guidance to agencies to increase security “utilizing presumption of compromise and least privilege principles.”
• Require OMB and CISA to establish a pilot program to perform “continual agency evaluation” of cybersecurity at Federal agencies;
• Require CISA to study a pilot for agency “active defense techniques” by misleading adversaries including by establishing “a honeypot, deception, or purposefully feeding false or misleading data to an adversary” when they are on agency systems; and
• Require CISA to pilot a “security operations center as a service” arrangement through which CISA will run a security operation center on behalf of another agency, thus “alleviating the need to duplicate this function at every agency, and empowering a greater centralized cybersecurity capability.”