An update to the Federal Information Security Management Act is under review by members of Congress.
Sen. Joseph Lieberman (I-Conn.) said Thursday night during a speech before the Homeland Security and Defense Business Council (HSDBC) in Washington that congressional staff is reviewing a draft of the changes to FISMA.
“Majority Leader Harry Reid has promised that the Senate will consider comprehensive cybersecurity legislation early next year, and we are hard at work in advance of that deadline,” according to Lieberman’s prepared remarks given to the media before the speech. “On Monday, we circulated to stakeholders a staff draft of legislative language that would improve critical infrastructure security. More titles will be circulated in the weeks to come and we are looking forward to meeting with interested parties to discuss these proposals.”
Senate lawmakers have been trying to update FISMA for the last three years.
Sen. Tom Carper (D-Del.) introduced a bill to update the 2002 law in 2008 and held out hope each successive year, but couldn’t get enough traction. Rep. Diane Watson (D-Calif.) introduced a version of the FISMA update in 2010, but again, it got nowhere.
Watson also tried to add a FISMA update to the 2010 Defense Authorization bill. But the provisions were not included in the final law.
Lieberman’s speech didn’t offer any specifics about FISMA, but he did go into more details about other parts of the comprehensive cybersecurity legislation. “We would start by directing the Department of Homeland Security (DHS) to work with industry to identify and evaluate the risks to the country’s most critical cyber-infrastructure, and to develop risk-based performance standards that these crucial systems would have to meet,” Lieberman said. “Once this has been done, owners and operators would select security measures to safeguard their systems. These plans would be reviewed by DHS cyber-experts to ensure they improve security. Our legislation would also provide liability protection for owners and operators who are in compliance with their approved security plans.”
Lieberman said DHS would help create the development of cybersecurity “best practices” as a model for the private sector. These also would help lead to the development of better security techniques and the creation of industry-wide standards of care would lead commercial networks to install them as a way to keep customers and draw in new ones.
Additionally, DHS would have the statutory responsibility to ensure that the government is sharing threat, vulnerability and mitigation information with the private sector.
Another part of the bill would try to address hardware and software cybersecurity. Lieberman said Congress would encourage agencies to only buy from vendors who “bake” security in from the beginning of development.
“Using the federal government’s purchasing power, I believe would help prod technology companies to produce more secure products, which would then be available to businesses and consumers,” he said.
Howard Schmidt, the White House cyber coordinator, said in an interview with Federal News Radio the new cybersecurity research and development strategy released last week by the White House tries to address that concern.
“We are using this research to leapfrog ahead so it’s not a matter of upgrading to this generation or that generation, but make it so you leap ahead and reduce the vulnerabilities in your system,” he said. “In many cases we are finding they are still using old software and systems that are not designed to be resilient and as result have to make critical up grades in a short amount of time.” The effort to improve cyber through the procurement process is not new, but is part of how DHS is trying to protect civilian networks.
Lieberman said to better protect civilian networks, DHS should continue to rely on the expertise of the Defense Department’s National Security Agency.
“In this year’s National Defense Authorization Act, we took an important first step in formalizing these relationships when we codified an existing agreement between DHS and NSA to share resources,” he said. “This is small step, but it is nonetheless important — and provides an example of how Congress can put aside partisanship to address our nation’s pressing cybersecurity needs.”
Lieberman, who is retiring at the end of his term in 2012, said his “goal is to pass this bill and get it to the President before I leave the Senate.”
Schmidt said the White House has been working with the Hill to get the cyber legislation passed.
“We are very thankful Senator Reid has committed to actually move the debate of the cybersecurity legislation to the first Senate work period of next year,” Schmidt said. “We could be moving forward with a lot of these things in January and February. We will continue to work with the leadership in both the Senate and House to help bring these things together and to make sure they stay informed of what we are looking to get of the various programs we are doing, but more importantly what are the things we need specifically legislatively to help.”