Legislation aimed at modernizing the 12-year-old Federal Information Security Management Act (FISMA) has passed a vote by the Senate Homeland Security and Governmental Affairs Committee on June 25 and is headed to the Senate floor.
The new legislation, Federal Information Security Modernization Act of 2014, introduced by Committee chairman, Sen. Tom Carper (D-Del.), and Sen. Tom Coburn (R-Okla.) would amend the current FISMA, which is roundly regarded as outdated and less potent than it could be.
The original FISMA was passed into law in 2002 in the shadow of the September 11 attacks on the World Trade Center and the Pentagon. In an effort to safeguard the nation's infrastructure, its sponsors created a set of guidelines and requirements that agencies must meet. The federal organizations assess their progress annually as well as implement and track the effectiveness of their security measures.
Not only has the scope and nature of information security changed in the dozen years since the original FISMA debuted, but the self assessments have been called into question as well as the checklist structure of the reports. Senior agency officials, who are in charge of the assessments, by and large see the them as a time suck.
The new legislation was introduced less than two months after the annual FISMA reports were released in May and Gene L. Dodaro, the Comptroller General of the U.S. and head of the Government Accountability Office (GAO), subsequently told a House committee that the Department of Homeland Security was working on, among other things, “refining performance metrics that agencies use for FISMA reporting purposes.”
In the latest round of FISMA reports, agencies claimed to have improved in their efforts to secure information, saying that they met 81 percent of the FISMA requirements, up from 73 percent the previous year. Email encryption scored among the biggest improvements, moving from 35 percent last year to 51 percent this year.
At that time, OMB Deputy Director for Management Beth Cobert told Congress in a letter accompanying the reports that “OMB continues to work with agencies to fulfill the requirements of FISMA and implement increasingly resilient information technology security and privacy management programs.”
Just a few days later, in his testimony, Dodaro called for Congress to pass “legislation that would clarify roles and responsibilities for implementing and overseeing federal information security programs and for protecting the nation's critical cyber assets.”
To that effect, the amended FISMA bill that the Senate will tackle clarifies the role of DHS, with its Continuous Diagnostics and Mitigation Program, in leading operational activities as well as OMB's role in overseeing the whole she-bang from a procedural aspect.
Advocating for continuous monitoring, FISMA 2014 relaxes the checklist-based, reporting process, considered by many to be a time-suck, trains more attention on monitoring and mitigating data breaches and focuses senior agency officials on integrating and testing actual cyber security measures.
“Cybersecurity is one of our nation's biggest challenges,” said Carper, in a press release. “That's why it's imperative that we face this 21st century threat with a 21st century response.”
He termed the work on improving cyber security as “being far from done” but called this bill as well as another, the National Cybersecurity and Communications Integration Act, “an important step in our effort to modernize our nation's cybersecurity programs and help the public and private sectors work together to tackle cyber threats more effectively in the future.”
The House passed a similar FISMA reform bill, in a 416-0 vote, in April 2013. If the Senate passes this piece of legislation, the two bills would have to be reconciled before going to President Obama to be signed into law.