Bipartisan FISMA update drops

Image credit: Katherine Welles/Shutterstock.com

Leaders of the Senate Homeland Security and Government Affairs Committee introduced legislation on Monday to update the Federal Information Security Modernization Act to clarify the roles in defending federal networks.

The bill, from Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio), was teed up in a Sept. 23 committee hearing focusing on the roles and responsibilities of the nation's cybersecurity defenders now that the Cybersecurity and Infrastructure Security Agency has a lead position in federal agency cybersecurity and in managing breach reports from critical infrastructure companies.

The Federal Information Security Modernization Act of 2021 puts the Office of Management and Budget at the center of policymaking on cybersecurity for civilian agencies and gives CISA the lead role in implementing cybersecurity operations while the National Cyber Director "is responsible for developing the overall cybersecurity strategy of the United States and advising the President on matters relating to cybersecurity."

The bill requires federal civilian agencies to report breaches to CISA and OMB, and includes new authorities that make CISA the lead agency on cybersecurity incidents affecting federal civilian agency networks.

"This bipartisan bill provides the security the American people deserve and the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised," Portman said in a statement.

The bill also requires agencies to use penetration testing "when and where appropriate" to monitor the security of agency systems, especially high-value assets. The rules of engagement for such testing as well as the results are required to be shared with CISA and OMB, "without regard to the status of the entity that performs the penetration testing."

Under the bill, OMB is charged with establishing a framework to prioritize penetration testing resources at federal agencies. Additionally, CISA has about a year and a half to establish a threat hunting program to service federal agency networks.

The bill also looks to set up a legal framework for security researchers who are following established vulnerability disclosure program protocols. In addition, the legislation requires agencies to designate a public-facing point of contact for vulnerability disclosures for unclassified public-facing, internet-accessible systems.

The FISMA update is a companion to a bipartisan breach disclosure bill offered last week by Peters and Portman.