The chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee said today they are interested in changing the Federal Information Security Management Act (FISMA) to make sure that Congress gets timely notifications about major cyberattacks that have a national impact.
At a committee hearing today to examine Federal agency security following the SolarWinds Orion cyberattack disclosed last December, committee Chairman Sen. Gary Peters, D-Mich., and ranking member Sen. Rob Portman, R-Ohio, both backed possible FISMA changes, and cited the timeliness and degree of detail that they say Congress received from Federal agencies in notifications about the SolarWinds hack.
At issue in today’s debate at the hearing was a FISMA requirement requiring congressional notification of attacks.
FISMA, Sen. Peters said, “clearly need some adjustment” in order to reflect the intent of Congress on attack notifications, and “so there is no ambiguity” about the need to declare that a cyberattack constitutes a “major incident” as defined under the law. The law requires Federal agencies to evaluate the scale and scope of attacks, the senator explained.
Adjustments to FISMA, he said, will help to better inform Congress about attacks, and help legislators ensure that the government mounts a coordinated response.
Sen. Peters said that cyber adversaries view the Federal government as a “single target” rather than a collection of agencies and that the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) need to take a “governmentwide approach” to cyber threats, and make sure that Congress gets “timely and relevant” information about cyber threats and attacks.
Sen. Portman questioned why the Department of Health and Human Services (HHS) did not declare the SolarWinds hack a “major incident” as defined by FISMA.
HHS CISO Janet Vogel said her agency did not believe that the SolarWinds attack rose to the level of a “major incident” because the agency did not lose data because of the attack, had “firewalled everything appropriately,” and had determined there would not be any follow-up impact.
“We confirmed with CISA and OMB … our determination that we would not declare a major incident at that time,” Vogel said. She added the agency would have revisited that decision if it had received additional information to warrant that move.
Also testifying at today’s hearing, Commerce Department CISO Ryan Higgins said his agency notified Congress of the SolarWinds attack within seven days of its discovery, and after it had already been in touch with CISA, OMB, and the FBI, among others.
Sen. Portman said he was concerned that HHS did not report the attack as a major incident and said, “maybe we need to tighten up that FISMA requirement.” He added, “to me, this was definitely a major incident,” and said that more notification to Congress would help legislators take action that would respond to attacks.
More generally, Sen. Portman said that Congress needs to look at Federal “cybersecurity strategy and leadership” in order to arrive at a “single point of accountability” within the government for cybersecurity.
Sen. Peters also expressed some frustration with the details of agency notifications to Congress about major cyberattacks, saying that those notifications can say “something happened” but not include enough details of incidents. “While agencies are meeting the letter of the law, they are not meeting the intent of the law” if sufficient details are not provided, the senator said.