House FISMA draft codifies federal CISO role, looks to shared services

Congress should more regularly update the Federal Information Security Modernization Act (FISMA) and shift the focus of the law from compliance to risk-based approaches to better prepare agencies for increasingly complex cyberattacks, experts testified Tuesday.

Former federal cybersecurity officials along with a Government Accountability Office witness  provided recommendations for the House Committee on Oversight and Reform on how best to modernize FISMA as the committee considered draft legislation to reform the law for the first time in nearly eight years. 

Changes called for in the House draft include codifying the role of the federal chief information security officer at the Office of Management and Budget and putting OMB and the National Cyber Director in the loop for updates whenever the Cybersecurity and Infrastructure Security Agency issues a binding operational directive to agencies in response to a known threat. The update also looks to CISA to offer shared services to federal agencies looking to improve their cybersecurity posture– something also being done administratively via CISA's Quality Services Management Office. The bill also looks to update the definition of a "major incident" at a federal agency or agencies as well as setting a 72 hour timeline for agency heads to notify CISA, OMB and congressional leadership as well as key committees.

The discussion draft also gives the head of OMB and the National Cyber Director latitude in declaring a major incident in the event of a breach that occurs at multiple agencies and involves a supply chain compromise, a known attack vector or is the result of a widespread attack by a "common threat actor."

"Frankly, this is a much neglected subject," said Rep. Gerry Conolly (D-Va.). "The fact that it took 12 years to update FISMA, and another seven years to have a hearing about it, I don't think speaks well of the legislative branch and the priority we put on information technology and its security."

The law was originally enacted in 2002 to provide agencies with a comprehensive framework for information security management, and was only updated once in 2014.

Experts urged lawmakers to take into account emerging information technology supply chain risks and establish new security requirements for the procurement of internet of things devices, while creating standardized security requirements that reduce duplication and make oversight more effective. 

Jennifer Franks, director of IT and Cybersecurity for the Government Accountability Office, said annual inspector general reviews that form the bulk of FISMA activity have focused too heavily on compliance and served as an impediment to agencies, which lacked the necessary time and budgetary resources to implement requirements.

Ross Nodurft, executive director of the Alliance for Digital Innovation and former chief of the Office of Management and Budget cybersecurity team, said the draft FISMA legislation promotes endpoint detection and response, which could have helped mitigate the impact of the SolarWinds cyberattack when implemented along with zero-trust principles and a comprehensive network security strategy. 

Nodurft told FCW before testifying that the current FISMA law "essentially states that every agency owns its own risk."

"FISMA legislation should codify practices and policies that keep Congress informed to allow for effective oversight," he said. "But the legislation should also allow departments and agencies the flexibility and time to respond to and report incidents, breaches, and vulnerabilities without disrupting or impacting their responses."

Committee Chairwoman Rep. Carolyn Maloney (D-N.Y.) described FISMA as the "best defense our federal information networks and supply chains have against cyber attacks," but said "the reality is that it's simply not enough to protect us in its current form."

The committee was expected to release a discussion draft of the FISMA reform legislation it was considering this week, which Rep. Maloney said contained "key similarities" to a Senate bill being considered by the Homeland Security and Governmental Affairs Committee.