Legislation aimed at modernizing the 12-year-old Federal Information Security Management Act (FISMA) has passed a vote by the Senate Homeland Security and Governmental Affairs Committee on June 25 and is headed to the Senate floor.
The new legislation, Federal Information Security Modernization Act of 2014, introduced by Committee chairman, Sen. Tom Carper (D-Del.), and Sen. Tom Coburn (R-Okla.) would amend the current FISMA, which is roundly regarded as outdated and less potent than it could be.
The original FISMA was passed into law in 2002 in the shadow of the September 11 attacks on the World Trade Center and the Pentagon. In an effort to safeguard the nation's infrastructure, its sponsors created a set of guidelines and requirements that agencies must meet. The federal organizations assess their progress annually as well as implement and track the effectiveness of their security measures.
Not only has the scope and nature of information security changed in the dozen years since the original FISMA debuted, but the self assessments have been called into question as well as the checklist structure of the reports. Senior agency officials, who are in charge of the assessments, by and large see the them as a time suck.
The new legislation was introduced less than two months after the annual FISMA reports were released in May and Gene L. Dodaro, the Comptroller General of the U.S. and head of the Government Accountability Office (GAO), subsequently told a House committee that the Department of Homeland Security was working on, among other things, “refining performance metrics that agencies use for FISMA reporting purposes.”
In the latest round of FISMA reports, agencies claimed to have improved in their efforts to secure information, saying that they met 81 percent of the FISMA requirements, up from 73 percent the previous year. Email encryption scored among the biggest improvements, moving from 35 percent last year to 51 percent this year.
At that time, OMB Deputy Director for Management Beth Cobert told Congress in a letter accompanying the reports that “OMB continues to work with agencies to fulfill the requirements of FISMA and implement increasingly resilient information technology security and privacy management programs.”