Leaders on the Senate Homeland Security and Governmental Affairs committee said they are developing legislation that would update federal laws on internal cybersecurity to better account for today’s threats and further clarify the quarterbacking role that the Cybersecurity and Infrastructure Security Agency’s should play helping agencies raise their internal security.
The legislation would update the Federal Information Security Modernization Act, the law that mandates and underpins most federal cybersecurity programs at departments and agencies. The last reform in 2014 boosted the roles of the Department of Homeland Security and the Office of Management and Budget in overseeing those individual agency efforts and collecting reports.
Sen. Gary Peters, D-Mich., the committee chair, said he and ranking Republican Sen. Rob Portman of Ohio were working on a bill that would update FISMA for the first time in nearly eight years, with a focus on bolstering the role and authorities at CISA.
“Since  our technology has developed rapidly along with the sophisticated threats that we have faced. When that legislation was passed, CISA had not yet even been created,” Peters noted. “We need to pass updated legislation that clarifies CISA’s roles and responsibilities in federal information security. Improve how incidents on federal networks are being reported to Congress, and ensure that our own cybersecurity resources are effectively aligned with emerging threats.”
Portman pointed to a recent report on FISMA compliance from the committee that found “systemic failures to safeguard American data” at eight different departments and agencies. The rise of CISA and creation of the national cyber director position at the White House were both specifically designed to help coordinate those kinds of activities, but Portman said failures will endure without new legislation.
“I believe we’ll continue to see these inconsistencies or vulnerabilities because of questions about accountability unless we’re clear about who’s in charge to better prevent, who’s in charge to better respond to, cyberattacks,” said Portman.
The legislation would revisit a law that has received mixed reviews over the years. On the one hand, it forced agencies to implement a comprehensive information security program and periodically report to Congress and OMB on their progress. On the other, agencies regularly fail to meet the requirements laid out in the law and a wave of major, successful hacks against government entities like the 2015 OPM hack, SolarWinds, Microsoft Exchange and others, have led to fed up lawmakers ready for change.
For example, there are few if any hard enforcement mechanisms to push agencies to improve or punish them if they fall short.
“No one goes to FISMA jail,” Ari Schwartz, a former senior director on the National Security Council, once said in 2019 when asked why compliance was so low.
Chris DeRusha, federal chief information officer, welcomed the bill, saying that “we need to ensure we have one common standard that everyone’s following.”
The idea also received praise from CISA Director Jen Easterly, who said the status quo for FISMA “clearly is not working” and said her agency’s central role coordinating across civilian agencies should be reflected in any bill.
“A modernized FISMA should shift the spotlight from compliance and box checking to true risk management. It also should recognize and codify CISA’s role as the operational lead for federal cybersecurity,” she said.
Easterly also endorsed legislation under work by Peters and Portman that would require critical infrastructure entities to report significant cyber attacks to the government. She said getting that information is “absolutely critical” to a range of coordinating and incident response work CISA does with the government and private sector and stressed that her agency should be in charge of determining the specific information reporting requirements.
“As I think of CISA’s superpower … it’s our ability to share information rapidly to enable us to protect other potential victims,” she said. “What we could do with this information is not only render assistance to the victim and help remediate and recover from the attack, but we could use that information — we could analyze it and we could share it broadly — to see whether, in fact, evidence of such intrusions were found across the sector, other sectors or the federal civilian branch.”
She also endorsed the concept of fining critical infrastructure entities who don’t comply with the law or report to the government, pointing out that industrial sectors like finance have shown success using fines to compel enforcement of cybersecurity regulations.
“I know some of the language talks about subpoena authority. My personal view is that is not an agile enough mechanism to allow us to get the information that we need, to share it as rapidly as possible, to prevent other potential victims from threat actors,” she said.