The House Oversight and Government Reform Committee on Wednesday unanimously approved two bipartisan bills, one to update the Federal Information Security Management Act (FISMA) to clarify cybersecurity roles and responsibilities within the federal government and emphasize continuous monitoring for threat, and the other to improve training of federal procurement employees to ferret out risks in the supply chain for information and communications technology.
The FISMA 2022 (H.R. 6497), which now goes to the House for consideration, would be the first update to the legislation since it was last updated in 2014, which is before the National Cyber Director (NCD) role was created and before the authorization of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). FISMA was first enacted in 2002, establishing cybersecurity practices for the federal government.
The proposed update to the bill “modernizes our approach to cybersecurity,” Rep. Carolyn Malone (D-N.Y.), chairwoman of the committee, said during the markup of the FISMA 2022 legislation. “This legislation ensures we shift to a risk-based approach and make the crucial shift to a zero-trust architecture that continuously monitors the security of federal networks.”
A zero-trust architecture essentially means adopting a posture of a “presumption of compromise” rather than one of trusted networks, adopting least privilege in administering information systems, and limiting the ability of threat actors to move laterally within and between agencies’ networks.
Some of the key provisions of FISMA 2022 include clarifying roles and responsibilities of key federal agencies, such as giving the Office of Management and Budget (OMB) responsibility for cybersecurity policy development and oversight, operational coordination to CISA, and overall creation of cybersecurity strategy to the NCD.
The bill directs federal agencies to report major cyber incidents to Congress within seven days of a breach being determined and to share information on incidents with CISA, OMB and the NCD. It also gives CISA the authority to continuously monitor and analyze major incidents at agencies and establish a program for ongoing cyber threat hunting services on agencies’ networks.
Every two years, OMB would be required to update the definition of a major cyber incident, the bill says.
The legislation also requires fewer FISMA assessments and instead emphasizes continuous monitoring of networks, and directs agencies to maintain inventories of all their internet-accessible information systems, software and assets, a key enabler to boosting situational awareness.
FISMA 2022 would also codify the federal chief information officer and federal chief information security officer (CISO) roles withing OMB, and make the CISO the deputy NCD for strategy, capabilities and budget.
The bill also directs several pilot evaluations and studies be done, including OMB conduct a pilot to create a risk-based budget for cybersecurity spending, have CISA study active defense techniques to improve the security of agencies, require CISA to pilot a security operation center for another agency, limiting duplication across the government and moving to more centralized cybersecurity, and a CISA pilot for endpoint detection and response as a shared service to agencies to reduce cost, enhance interoperability, and continuously detect and mitigate threat activity on federal networks.
A bill similar to FISMA 2022 is being considered in the Senate and is co-sponsored by Sens. Gary Peters (D-Mich.) and Rob Portman (D-Ohio), the chairman and ranking member, respectively, of the Homeland Security and Governmental Affairs Committee. Maloney said that she and her ranking member, Rep. James Comer (R-Ky.), are working with the senators on the legislation.
Separately, the committee also unanimously approved the Supply Chain Security Training Act (H.R. 5962), which has already passed the Senate. The bill requires the General Services Administration to create a standardized training program for federal employees involved in purchasing information and communications technology to perform supply chain risk management activities and identify and mitigate supply chain security risks.