House Committee Advances FISMA Modernization ActRep. Carolyn Maloney: 'It's Crucial We Shore Up Federal Cyber Defenses'
The House Oversight and Reform Committee today advanced its version of the Federal Information Security Modernization Act of 2022, or FISMA, which entails sweeping cybersecurity updates for federal civilian agencies. The bipartisan measure, sponsored by Chairwoman Carolyn Maloney, D-N.Y., and ranking member James Comer, R-Ky., was sent to the full House on a voice vote.
The bill mirrors a similar proposal in the Senate, introduced by Homeland Security and Governmental Affairs Committee Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio. It sets out to update the existing FISMA law, first passed in 2002 and last amended in 2014. Officials say that as written, it does not account for rapid changes in the threat landscape over the last eight years - particularly threats to government networks by nation-state actors. Prior to Wednesday's markup meeting, the committee discussed FISMA reform in a hearing with former federal cybersecurity officials (see: Cybersecurity Experts Push for Sweeping FISMA Changes).
The elements of the bill include:
- Empower the Office of Management and Budget to develop cybersecurity and oversight policy;
- Allow the Cybersecurity and Infrastructure Security Agency to handle operational coordination;
- Allow the national cyber director to dictate overall cyber strategy;
- Codify the federal chief information security officer position within OMB;
- Require CISA to remove cybersecurity barriers via shared services and technical assistance;
- Take a comprehensive, risk-based cyber approach with real-time information sharing;
- Use automation technologies where possible,
- Ease compliance burdens;
- Reduce the number of FISMA assessments required for agencies;
- Improve the sharing of information between agencies and Congress about cyber incidents;
- Inventory internet-accessible IT systems and assets;
- Develop software bills of materials.
Prefacing the committee activity, Maloney said that the need for FISMA modernization has never been more apparent. She cited Russia's mobilization of 100,000 troops along Ukraine's eastern border, the cyberattack on some 70 government websites in Ukraine and the U.S. Department of Homeland Security's subsequent warning about retaliatory Russian cyberattacks on U.S. infrastructure (see: Russia's Escalation in Ukraine Sounds Cyber Defense Alarms).
"[DHS'] warning is a stark reminder of other recent cyber assaults committed by geopolitical adversaries against U.S. governments, businesses and civil society, including the SolarWinds attack by Russian actors and the Microsoft Exchange Server attack by Chinese hackers," Maloney said.
She added: "It is crucial that we shore up the cyber defenses of the federal government. ... To defend our federal networks in this new frontier of cyberwarfare, we must pursue a transformative approach and we must be constantly vigilant. That's exactly what we are here to accomplish today."
Maloney said that the proposal ensures a risk-based cybersecurity approach and makes a "crucial shift" to zero trust architecture. The latest version also "reflects valuable insights gained in the bipartisan hearing held last month," she said.
According to Maloney, the proposal requires OMB to update the definition of a "major incident" every two years to ensure effectiveness, and inventories of systems and software would help identify and mitigate vulnerabilities faster - including the widespread open-source flaw in Apache's Log4j logging utility.
Maloney also said on Wednesday that the investigation into the SolarWinds breach - carried out via malicious software update and ultimately affecting 100 organizations globally and nine federal agencies - highlighted the criticality of "clear incident reporting requirements." The FISMA update, she said, would require federal contractors to "immediately report an incident impacting federal data or information systems."
Comer, the committee's ranking member, shared similar thoughts.
Since the last FISMA update, he said, "we have seen criminal organizations, nation-states and all manner of enemies unleash a nonstop barrage of cyberattacks against American companies and federal agencies. These threats are becoming more sophisticated and … [jeopardize] national security [and] even the personal safety of [the] American people."
To remain proactive, Comer said, "FISMA must evolve in order to meet the challenge." He added: "The SolarWinds breach last year served as a wakeup call that the governance structure of federal cybersecurity, the maturity of our cyber defenses and the effectiveness of our oversight tools are no longer up to the task."
Grant Schneider, who testified on FISMA before the same committee last month, agreed, telling ISMG, "The number and impact of cyber incidents continues to increase, impacting both government and commercial entities. The need for greater cyber protections has never been greater."
Schneider, senior director of cybersecurity services at the law firm Venable, the former federal CISO and an active ISMG contributor, adds: "Since the last update to FISMA, Congress has created CISA and established the National Cyber Director, generating the need for additional clarity around roles and responsibilities."
Citing various cyber incidents since 2014 - the days of the Obama administration - John Bambenek, principal threat hunter at the firm Netenrich, tells ISMG: "Hopefully, Congress can take this opportunity to consider legislation that will bring the federal government up to speed with the current environment."
Supply Chain Security Training Act
Also on the agenda on Wednesday was the Supply Chain Security Training Act, sponsored by Rep. Joe Neguse, D-Colo. The bill mirrors a Senate proposal put forth by Peters and Sen. Ron Johnson, R-Wis., and would establish a training program for federal agency employees with responsibilities for supply chain risk management, preparing them to identify and mitigate supply chain threats that arise in the acquisition of products and services.
Outlining its impact, Maloney said the amended version incorporates recommendations from the National Institute of Standards and Technology to improve the program.
And Rep. Scott Franklin, R-Fla., said, "HR 5962 aims to ensure the federal workforce understands supply chain risks and associated policies," and tasks the General Services Administration with developing the training program - which would be issued governmentwide by OMB.
Franklin said the program "will prepare federal personnel to identify and mitigate security risks throughout the acquisition life cycle of products and services, including information and communications technology."
But Rep. Jody Hice, R-Ga., who voiced support for the measure - which was also moved to the full House - said that the proposal only "nibbles around the edges" in addressing the cyber threat posed by China.
"China is attacking our IT systems every day, and they want nothing more than to damage our country in any way," he told the committee. "And it seems to me [we're] basically just continuing to sit here and let it happen."
Hice said the U.S. must impose "serious consequences" for state-backed cyber activities.