Latest FISMA reform proposals would codify federal CISO role

The role is currently politically appointed but does not have statutory authority.
Rep. Carolyn Maloney, D-N.Y.
Chairwoman Carolyn Maloney, D-N.Y., speaks during a House Oversight Committee on Oversight and Reform hearing at the U.S. Capitol on October 7, 2021 in Washington, D.C. (Photo by Bill Clark-Pool/Getty Images)

New draft legislation to revamp the Federal Information Security Management Act includes language that would codify the federal chief information security officer as a statutory role.

Language included in new proposals would enshrine the presidentially appointed role in law and reaffirm the reporting line of the cybersecurity leader to the federal chief information officer.

The Office of the Federal CISO was created in September 2016 within the Office of Management and Budget. Since the start of the Biden administration, the role has been carried out by senior cybersecurity official Chris DeRusha, who has since also been named deputy national cyber director for federal cybersecurity.

The proposal comes as part of a discussion draft of new FISMA reform legislation released Tuesday by Reps. Carolyn Maloney, D-N.Y., the chairwoman of the House Committee on Oversight and Reform, and committee ranking member James Comer, R-Ky.


“There is established in the Office of the Federal Chief Information Officer of the Office of Management and Budget a Federal Chief Information Security Officer, who shall be appointed by the President,” the draft bill says. It specifies that the Federal CISO will work with the Federal CIO on a range of issues including cybersecurity strategy, information security and privacy

The new legislation would also redouble agencies’ focus on the implementation of zero-trust security principles and also assign the responsibility for operational coordination in the aftermath of a cyberattack to the Cybersecurity and Infrastructure Security Agency. In addition, it would replace point-in-time risk management assessments with monitoring under the Continuous Diagnostics and Mitigation (CDM) program. The bill includes language intended to promote security principles like endpoint detection and response and vulnerability disclosure programs as well.

Lawmakers have repeatedly sought to reform FISMA since it was established in 2014 and in October last year proposed a bill that would update the legislation to require agencies to notify Congress of cyber breaches within five days.

The latest draft bill was discussed Tuesday at a hearing held by the Committee on Oversight and Reform. Testifying at the hearing, former Federal CISO Grant Schneider supported proposals included in the new draft bill that would clarify cybersecurity responsibilities across agencies.

“Since the last update to FISMA, Congress has established the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security as well as the National Cyber Director within the Executive Office of the President,” Schneider said. “These have been important additions to the federal cybersecurity ecosystem and require clarification of roles and responsibilities with respect to federal cybersecurity. I recommend Congress clarify the roles and responsibilities at a high level and direct the President to clarify them in more detail.”


During the hearing, Ross Nodurft, representing the Alliance for Digital Innovation, called for cybersecurity roles and authorities among federal agencies to be updated, along with cyber incident reporting protocols.

“As agencies modernize technology, move to cloud-based environments, take steps to enhance security, and migrate to zero trust architectures, oversight offices must also modernize the measurements used to track agency progress and measure security,” Nodurft said.

The Government Accountability Office conducted a recent audit of FISMA across government and found uneven implementation of cybersecurity policies and practices among federal agencies. Jennifer Franks, GAO’s director for IT and cybersecurity, shared the findings from that report as a backdrop for Tuesday’s hearing.

“For fiscal year 2020 reporting, IGs determined that seven of the 23 civilian Chief Financial Officers Act of 1990 (CFO) agencies had effective agency-wide information security programs. The results from the IG reports for fiscal year 2017 to fiscal year 2020 were similar with a slight increase in effective programs for 2020,” Franks said.

Latest Podcasts