Senate moves to reform FISMA
The Senate Homeland Security and Governmental Affairs Committee took a major step this week toward overhauling the aging Federal Information Security Management Act, lessening agencies’ static reporting requirements and striking a balance between FISMA’s checklist approach and the emerging concept of continuous monitoring.
The Federal Information Security Management Act of 2014, passed out of committee June 25, acknowledges the increasing role of continuous monitoring in helping federal agencies manage cybersecurity risks and clarifies the roles and authorities of the Office of Management and Budget and the Department of Homeland Security in federal information security management and oversight.
The new legislation does not rewrite FISMA, but instead removes the requirement of agencies to report on their systems every three years. The draft bill requires periodic assessments of risk, but also makes sure senior agency officials are tasked with integrating, testing and evaluating cybersecurity measures. The bill also contains provisions to rescind a section of circular A-130, which governs how OMB implements FISMA.
Originally passed in 2002, FISMA was designed to protect the country’s national information infrastructure. The law established a series of standards and guidelines agencies must fulfill and at its inception was designed to lead the implementation of cost-effective information security programs to facilitate more secure and informed authorization decisions in federal agencies.
But FISMA has increasingly been viewed by experts in and out of government as a time-consuming paperwork exercise in need of reform. Many see DHS’ Continuous Diagnostics and Mitigation program playing a more important role in federal cybersecurity.
“I think that FISMA is overdue for an overhaul,” Ken Durbin, the continuous monitoring practice manager for Symantec, said during a webcast June 24 hosted by Federal News Radio. “I think it is going to arch up. I think [Congress is] going to balance that out with what CDM’s trying to do versus the original intent of FISMA.”
That seems to be precisely the intent of the new bill. According to the text of the legislation, the bill attempts to define the roles DHS and OMB play in the FISMA and CDM processes. Currently, DHS leads CDM’s implementation and works with OMB and the CIO Council to develop FISMA metrics. Under the new bill, however, DHS would take over FISMA operationally, while OMB would continue to have oversight of the process.
OMB made continuous monitoring one of its 14 cross-agency priorities in 2012. Within DHS, CDM provides departments and agencies tools to identify cybersecurity risks on an ongoing basis. Once identified, CDM allows agencies to categorize those risks based on their potential impacts, which enables an agency to address the most significant risks quickly.
CDM is funded by Congress in support of FISMA. However, their differences cause some agencies to juggle the two.
At the Justice Department, the Cyber Security Assessment & Management tool is primarily focused on FISMA compliance, while the agency leverages DHS’s CDM program to procure the latest cybersecurity capabilities.
“While FISMA compliance has not necessarily gone away, we are trying to balance that piece along with the continuous diagnostic and mitigation requirements,” Melinda Rogers, DOJ’s chief information security officer, said during the webinar. “At Justice, we are a very federated agency, but we have been successful in centralizing at least the visibility of knowing what assets are where in our environment. I mean, that’s really part of the key challenges is knowing what you have and where you have it; then you can either go in and address it or accept the risk of its existence.”
Committee Chairman Sen. Tom Carper, D-Del., said the new measure strikes the right balance between FISMA and the emerging capabilities of CDM.
“I think we finally found the sweet spot,” Carper said. “Basically, if I could use an analogy here, the job of OMB is to steer the boat, to set the policy, to be the enforcer. The job of DHS is to help row the boat, and they work at this together.”