Lawmakers press White House to submit FISMA report

Leadership of the House Oversight and Government Reform Committee wants to know why the White House has yet to meet its obligations under a major information security law.

Reps. Jason Chaffetz (R-Utah), chair of the committee, and Elijah Cummings (D-Md.), the committee’s ranking member, have requested the Executive Office of the President’s fiscal 2015 Federal Information Security Management Act (FISMA) report.

The lawmakers warned the White House that not submitting the FISMA report, already long past the Office of Management and Budget’s March 1 deadline, would send the wrong message to agencies that complied with the law’s requirements.

“It is especially troubling that EOP has yet to submit its complete FISMA report to the committee, given the agency’s central role in overseeing other federal information security requirements, not failing in its own compliance with the law,” Chaffetz and Cummings wrote July 26 in a letter to White House Chief of Staff Denis McDonough.

Download our online chat with Col. Brandon Pearce, chief information security officer for the National Geospatial-Intelligence Agency.

Advertisement

The House Oversight leadership also sent copies of the letter to 24 federal agencies, the Office of the Director of National Intelligence, and the Central Intelligence Agency.

Under FISMA, federal agencies built on progress made during the the 30-day cyber sprint, and were held to commit to a long-term information security vision and set specific deadlines. Federal Chief Information Officer Tony Scott and OMB Director Shaun Donovan signed off on the annual guidance for FISMA reporting on Oct. 30, 2015. 

The law tasks inspectors general with conducting an independent review of their agencies’ information security programs and practices. Agencies then submit those findings to OMB, which in turn submits the report to Congress.

Agencies without an IG are required to hire an independent auditor.

Chaffetz and Cummings also reminded the EOP of its obligation to submit its Federal Cybersecurity Enhancement Act (FCEA) report by December 18.

“Although the deadline has not passed, we raise these now to ensure you are aware of your responsibilities under the law, and the corresponding deadline,” the congressmen wrote.

How does President Trump's budget proposal impact your agency?

The letter doubles down on a point of contention from a May 25 hearing, where Rep. Mark Meadows (R-N.C.) argued with Scott over missing FISMA reports for EOP, OMB, and the National Security Council.

Scott told Meadows that legal counsel advised the White House it wasn’t obligated to submit a report under FISMA. Meadows, however, disagreed with the legal opinion.

“Congress was very clear, extremely clear that indeed the White House and indeed OMB is required to submit that and yet, we can’t find where you’ve done it. We’ve specifically in the legislation mentioned the White House,” Meadows told Scott, adding that noncompliance sets a bad example for agencies to follow.