The House and Senate are moving closer to passing legislation that would reform the primary law governing cybersecurity operations at federal agencies, but some members are raising questions about the how the update might impact the balance of power between the Office of Management and Budget and other agencies.
At a hearing Tuesday, Rep. Carolyn Maloney, D-N.Y., chair of the House Oversight and Reform Committee, released a draft bill that would overhaul the Federal Information Security and Management Act, which was last updated by Congress in 2014.
Maloney referenced a joint advisory from three U.S. agencies Jan. 11 detailing 16 known vulnerabilities that have been exploited by hackers sponsored by the Russian government. She said these warnings only further underscore the need to update FISMA and other federal laws that are outdated and ill-suited to repelling the kind of sophisticated attacks the U.S. government now regularly sees from countries like Russia and other geopolitical rivals.
FISMA is “the best defense our federal information networks and supply chains have against cyber attacks, but the reality is that it’s simply not enough to protect us in its current form,” Maloney said. “Threats have transformed dramatically since FISMA were last updated in 2014 and in ways that were unimaginable when the law was first written 20 years ago.”
Rep. James Comer, R-Ky., said he and Maloney are working together to further shape the legislation and laid out the committee’s requirements for reform, saying the current bureaucracy make it harder for agencies to move quickly in the wake of an incident and share what they know with other parts of the government.
“Any reform must enable federal agencies to respond to an incident in real time, to mitigate damage, fix the problem and effectively share critical information about the attack so it does not happen again,” said Comer in his opening statement. “Burdensome red tape requirements for coordination and outdated compliance checklists cannot remain significant hurdles when measuring a cyber incident, nor should Congress be subjected to delayed and disjointed agency briefings following major incidents.”
At one point, Comer alluded to a request from the Office of Management and Budget for changes to the reform bill and said the committee has “honored an overarching request to avoid imposition of overly burdensome bureaucratic reporting and compliance controls which hamper agencies from addressing daily cybersecurity challenges.”
The Senate bill puts CISA, the National Institute for Standards and Technology and the newly created Office of the National Cyber Director in an advisory role to the director of the Office of Management and Budget when it comes to setting information security policies and agency information collection practices. It would also codify the Cybersecurity and Infrastructure Security Agency’s role as the “lead entity for operational cybersecurity coordination across the federal government” and legally require other agencies to loop CISA into some of the security plans they provide to OMB.
A former congressional staffer who now lobbies for industry told SC Media in December that officials in OMB’s Office of the Federal CIO were looking for unspecified changes to FISMA reform proposals.
A current congressional aide familiar with the development of the FISMA reform bill told SC Media that officials at OMB have brought concerns to the House and Senate about the potential impacts of elevating CISA and National Cyber Director’s Office within the federal IT security ecosystem. While both CISA and the NCD were explicitly created to coordinate cybersecurity functions across government, OMB predates the existence of both and through FISMA has historically set information security policy for federal agencies.
“Even prior to FISMA … there has always been this tension between CISA’s operational capabilities and OMB’s oversight rights and capabilities and it doesn’t surprise me, because the bill that came out of [the Senate] puts CISA much more firmly in control,” they told SC Media, though they specified that the changes were more about “raising CISA up and not bringing OMB or the national cyber director down.”
Several Republicans at the hearing alluded to this dynamic. Rep. Jody Hice, R-Ga., questioned whether the proposed reforms would only further complicate an already messy collection of laws, authorities and overseeing federal entities without improving security in the long run.
“It’s no secret that our federal cyber apparatus is a massive bureaucracy and its grown exponentially since the last revamp in 2014,” said Hice. “It’s a reality and a legitimate question to ask. Does anyone believe that our nation’s cybersecurity has improved at the same pace as our bureaucracy?”
Grant Schneider, the former federal chief information security officer for the U.S. government, told the committee that integrating all these new agencies into the hierarchy of FISMA can be done, but close cooperation between OMB, and the National Cyber Director “is going to need to be absolutely seamless to make this work.”
He also outlined what he viewed as the new reality that would be created through the proposed reform bills.
“For federal cybersecurity, I view the national cyber director as having that overarching voice, being the conductor. I view CISA as really being the operational partner with agencies … to help agencies who are tasked to implement their risk management programs,” Schneider said.
Meanwhile, OMB “has and I think should continue to have the lead for developing policy and overseeing the [FISMA] program, providing the oversight, being the hammer to agencies while CISA is being the partner to agencies."
The hearing was held the same day the Government Accountability Office released a new report on FISMA that found agencies are doing better when it comes to implementing capabilities around access management and detecting and preventing cybersecurity incidents, but progress in other areas was far more uneven, with just 7 of 23 inspectors general reporting that their agencies had effective information security programs.
Jennifer Franks, director of information technology and security at GAO, told members that the most cited impediments were a lack of resources, that annual reviews tended to focus on compliance with the law at the expense of effectiveness and lack of time between annual FISMA reviews to implement recommended changes.