After years of proposed changes, FISMA is finally morphing. What entered the legislative record in 2002 as the Federal Information Systems Management Act is almost certain to become the Federal Information Systems Modernization Act under the new Congress, following passage by its predecessor in December.
The name change highlights a major shift, says Maria Horton, who was CIO for the National Naval Medical Center as FISMA made its way into law. “By modernization, Congress and the president are looking how to modernize in order to protect our security,” says Horton, currently founder and CEO of EmeSec, a Reston, Va.-based consultancy with federal government clients. Under FISMA 2.0, as it is commonly known, “agencies themselves must be prepared to report on a breach, how large it is, how many people are effected, and the circumstances surrounding it,” she says.
FISMA 2.0 would replace what has typically been federal agencies' triennial cybersecurity compliance assessment. More frequent reports, with a strict deadline to report data breaches, would supplant the older system. It further calls for “automated security tools to continuously diagnose and improve security.” The Department of Homeland Security, which played a coordinating role for compliance with little authority under the original legislation, would play a more formal and central role under the proposed legislation, with the department's $6 billion “Continuous Diagnostics and Mitigation” contract providing federal departments and agencies with a range of choices for cybersecurity products and services.
To appreciate the impact of the changes, it's useful to step back and look at the history, says Juanita Koilpillai, CEO and president of Waverley Labs, a Waterford, Va.-based consultancy that often works with clients in the federal government. “With the current FISMA evaluation, it is hard for implementations to be consistent across the board,” she says. “Systems that are in compliance are not secure and vice versa. Even checking for four of the 20 critical controls proposed by SANS Institute is an expensive exercise.”