The biggest barrier for agencies to move to a more dynamic approach to cybersecurity is not the almost 12-year-old law that governs how they protect federal systems. Rather, it’s the Office of Management and Budget circular that implements the Federal Information Security Management Act’s that’s the real problem.
This is why Senate lawmakers’ plans to update FISMA center not on making continuous monitoring the law of the land, but actually rescinding a key section of Circular A-130 immediately and requiring OMB to issue interim guidance.
The goal of the Federal Information Security Modernization Act of 2014, sponsored by Sens. Tom Carper (D-Del.) and Tom Coburn (R-Okla.), chairman and ranking member of the Homeland Security and Governmental Affairs Committee, respectively, would be to improve federal cybersecurity in specific ways, but not make a wholesale rewrite of FISMA, said a committee aide.
Federal News Radio obtained a draft version of the FISMA 2014 bill ahead of the committee’s markup scheduled for Wednesday. It’s one of several bills Senate lawmakers plan to address, including an amendment in the nature of a substitute for the House’s version of the Federal IT Acquisition Reform Act.
The aide, who requested anonymity in order to speak about the bill before it was formally introduced, said CIOs say FISMA is working for the most part, but it’s A- 130 that is the real hang up, especially for department inspector generals and other oversight bodies.
The aide said rescinding the specific section of A-130 requiring agencies to examine and report on their systems every three years, and knowing the direction the National Institute of Standards and Technology’s standards, OMB’s policies and the Homeland Security Department’s operational plans for the continuous diagnostics and mitigation (CDM) program would be enough to change the culture of the government.
The need to update A-130 isn’t new. A group of federal cyber experts, led by former OMB executives Karen Evans, Frank Reeder and Dan Chenok along with Alan Paller and Jim Lewis, released a white paper in October 2012 calling for major changes to the circular.
OMB hasn’t updated A-130 since November 2000, when it first called on agencies to “review the security controls in each system when significant modifications are made to the system, but at least every three years. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system.”
The Senate’s draft bill would require agencies to conduct periodic assessments of risk and the magnitude of harm that could result in a cyber attack or data breach. The FISMA Act would ensure agencies have senior level leadership around cybersecurity, integrate cybersecurity procedures and standards in strategic planning efforts and periodically test and evaluate information security controls and techniques to ensure that they are effectively implemented as necessary based on the risk of the system.
The one thing the bill doesn’t do is explicitly call out the requirement to use continuous diagnostics and mitigation tools or processes. In fact, there is only one mention of CDM in the entire bill, and that’s in the section related to DHS operational authorities.
The committee aide said lawmakers recognize the DHS CDM program is making real progress so they didn’t want to disrupt that effort by putting new requirements or something in the bill that could be seen as a conflicting with the initiative.
The other area the draft bill tries to address is to more clearly delineate the roles of DHS and OMB.
OMB will continue to have policy and oversight responsibilities, while DHS will take over the operational requirements. The current set up is similar to this approach where DHS is leading the implementation of CDM, developing FISMA metrics with OMB and the CIO Council, and collecting, managing and sharing cyber threat and vulnerability data across the public and private sectors.
The Senate also added a section in the bill around data breach reporting. The bill tries to create a standard requirement for agencies to notify Congress — within no more than seven days — after they’ve discovered a breach where they lost personal identifiable information (PII), and notify the public within 60 days, unless there is law enforcement or other national security reasons.
Senate lawmakers, once again, are taking their own approach to updating FISMA. Similar to FITARA, the upper chamber is taking a less prescriptive approach, while the lower chamber is trying to address long-standing criticisms of the 2002 law.
This is at least the Senate’s third attempt to update FISMA. Carper first tried in 2008 and the again as part of the comprehensive cybersecurity legislation that never got out of committee in 2010 and 2012.
Along with the FISMA Amendments bill, the committee will markup the National Cybersecurity and Communications Integration Center Act of 2014.
The five-page NCCIC Act would designate the current facility the central civilian agency information sharing office for cybersecurity. It would, in many ways, just codify what the NCCIC already is doing.
The committee aide said they heard from government and contractor cyber experts about how having a law such as this on the books would make interactions easier and avoid some legal headaches.
The bill, however, doesn’t address the biggest issue around cyber information sharing with industry, which is liability protection for private sector companies.
The aide said the committee is concerned about liability protection, but, as of now, is leaving it to the bill sponsored by Sens. Diane Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.).