The Homeland Security and Governmental Affairs Committee has introduced new bipartisan legislation that would overhaul one of the primary laws governing civilian federal cybersecurity and formally recognize some of the newer cybersecurity kids on the block.
The Federal Information Security Modernization Act, first enacted in 2002, was last updated in 2014. That reform pre-dates massive events, like the 2015 Office of Personnel Management hack, the 2016 election hack and leak operation, the 2017 WannaCry and NotPetya ransomware attacks, the rise of the Cybersecurity and Infrastructure Security Agency, the 2020 SolarWinds campaign and other incidents that have completely reshaped the way the government thinks about cybersecurity.
The new bill puts CISA and the newly created position of national cyber director in an advisory role to the director of the Office of Management and Budget when it comes to setting information security policies and agency information collection practices. It would also codify CISA’s role as the “lead entity for operational cybersecurity coordination across the federal government” and legally require other agencies to loop CISA into some of the security plans they provide to OMB.
“Since Congress last addressed this critical issue, online threats have rapidly evolved and CISA had not yet been created,” said Chairman Gary Peters, D-Mich., in a statement. “This bipartisan bill will help secure our federal networks, update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security.”
CISA would be charged with conducting regular risk assessments of federal agencies and briefing the national cyber director on the results, including ongoing incident analysis, remediation, known system vulnerabilities, penetration testing, threat intelligence and threat hunting activities.
Each agency under OMB’s discretion must also report to congressional committees at least every two years to summarize these risk assessments
Other proposed language would reinforce the collaborative, interconnected nature and shared responsibility of cybersecurity problems in government, as well as the stark disparities that exist between different agencies.
The bill would include language to “recognize that each agency does not have the same resources to secure agency systems, and an agency should not be expected to have the capability to secure the systems of the agency from advanced adversaries alone.” It would also endorse “a holistic Federal cybersecurity model [that] is necessary to account for differences between the missions and capabilities of agencies.”
Peters previewed the legislation in a hearing last week. Ranking Republican Sen. Rob Portman of Ohio pointed to a recent report the committee released on FISMA compliance earlier this year that found “systemic failures to safeguard American data” at eight different departments and agencies.