Congress passes FISMA update
The 2014 legislative session is coming to a close, and Congress has suddenly become surprisingly productive – at least on one key area. After months of gridlock, both the House and Senate have recently passed a number of cybersecurity bills. Following the approval of the National Cybersecurity Protection Act of 2014 – a bill widely seen as among the most significant pieces of cybersecurity legislation from the past decade – Congress has now passed an update to the Fed Security Management Act, better known as FISMA.
A needed update
FISMA, originally passed in 2002, aimed to improve federal cybersecurity efforts by requiring agency leaders and other government officials to create and regularly review their information security programs. FISMA also mandated that all federal information systems need to comply with cybersecurity guidelines developed by the National Institute of Standards and Technology.
While effective, the original version of FISMA was no longer sufficient for the federal government's cybersecurity needs, according to Sen. Tom Carper (D-Del), one of the bill's sponsors.
"Since the passage of FISMA, agencies have made progress in setting up consistent information security programs across government," Carper wrote in the summary report. "Unfortunately, however, they have not kept up with the cyber threat that has grown even faster and larger than Congress could have foreseen in 2002. … This bill will modernize our outdated federal network security laws, provide the tools and authorities needed to improve security at our federal agencies and increase transparency and accountability for data breaches at federal agencies."
Smoother processes, better cybersecurity
The 2014 FISMA update will have a number of effects on federal government cybersecurity efforts. Most notably, the new version will aim to streamline many of the cybersecurity processes that agencies must go through.
For example, Federal Times asserted that one of the biggest changes that this update brings is the elimination of the three-year "Certification and Accreditation" report that agencies previously had to execute. The source noted that this requirement was frequently criticized as unduly time-consuming and wasteful without adding much in the way of cybersecurity benefits. The bill also reduces paperwork requirements in a number of other areas.
Beyond simplifying certain cybersecurity processes, the biggest FISMA update is a renewed focus on the importance of monitoring. Both the Office of Management and Budget and Department of Homeland Security must file reports on federal efforts to adopt continuous monitoring solutions, as FCW reported.
Additionally, the legislation established that the DHS will now act as the lead for all federal day-to-day cybersecurity issues. This includes providing assistance in the wake of a data breach or other security incident. The OMB will continue to possess the authority to establish security policy, however, and continue to determine agency budgets and provide IT security guidance.
This, according to Carper, is a logical change. He pointed out that the DHS has more than 400 employees who are dedicated to monitoring and protecting government networks on a full-time basis, while the OMB has only two or three equivalent personnel, Federal Times reported.
Finally, the FISMA update requires agencies to report any and all security incidents within seven days of the initial detection, and provide information regarding possible culprits and vulnerabilities.
As in the past, FISMA compliance will remain a critical issue for every federal agency, as well as contractors that aim to provide services to government organizations. And while the latest FISMA guidelines are by and large unchanged, the challenge of achieving compliance remains the same.
To reach this goal and better protect their information systems, federal agencies should consider partnering with third-party cybersecurity services providers. Such consulting firms can offer guidance and expertise, helping to bridge the gap between FISMA requirements and agency policies and systems.