FISMA 2014 codifies many current federal security practices
The Federal Information Security Modernization Act of 2014, enacted by Congress in mid-December along with three other pieces of cyber-security-related legislation, is noteworthy primarily for its emphasis on continuous monitoring of the security of federal systems; increased attention on incident detection, response, and reporting; and formally assigning the Department of Homeland Security (DHS) responsibility for developing, implementing, and ensuring government-wide compliance with federal information security policies and practices. For the most part, however, the 2014 update to FISMA introduces little new to federal security management, but instead codifies roles, responsibilities, requirements, and practices already put in place through OMB memoranda and other official guidance to agencies. A side-by-side comparison of the 2002 and 2014 FISMA legislation shows substantial similarities in the text of both laws, with major differences in only four aspects:
- Responsibilities assigned to the Secretary of DHS (§3553(b))
- Agency reporting requirements (§3554(c))
- New guidance and reporting requirements on security incidents (§3554(b) and (§3558(b))
- Policies and guidelines on data breach notification (§3558(d))
The 2002 FISMA law assigned essentially all agency oversight responsibilities to OMB (with annual reports to Congress), the 2014 version divides these responsibilities between OMB and DHS. To be fair, at the FISMA was enacted, it would have been infeasible to delegate explicit responsibilities to DHS, since the Homeland Security Act establishing that Department passed just three weeks before FISMA. The 2014 law has OMB handling information security policies and practices and overseeing NIST’s development of standards and guidelines and DHS leading the implementation of those policies, practices, and standards as well as monitoring agency information security practices and, when asked, providing technical assistance to other agencies. This separation of duties under FISMA 2014 is consistent with a clarification of cybersecurity responsibilities between OMB and DHS spelled out in OMB Memorandum M-10-28, issued in July 2010. M-10-28 placed administrative, budgetary, and fiscal oversight with OMB and gave DHS primary responsibility for “operational aspects” of security in all executive agencies, importantly including government-wide incident response.
Much has been made of the provision near the end of the new FISMA legislation that instructs OMB to update its Circular A-130 to “eliminate inefficient or wasteful reporting.” Appendix III of Circular A-130, last revised in 2000 a little more than two years before FISMA was enacted, contains the requirement that agencies formally authorize each of their information systems before putting them into operation and re-authorize them at least every three years. The language in the new law, taken together with the emphasis on continuous diagnostics and monitoring, is assumed to imply that agencies will no longer need to undergo system assessment and authorization processes for the systems they already have operating. Despite the appeal of this interpretation, it is not at all clear that the time- and labor-intensive set of activities and security artifacts specified in the NIST Risk Management Framework will be set aside in favor of robust monitoring programs. Also overlooked is the fact that OMB somewhat quietly waived the every-three-year re-authorization requirement in an answer to a question in the “frequently asked questions” section of its fiscal year 2011 FISMA reporting instructions to agencies, which explained that the implementation of continuous monitoring programs by agencies would obviate the need for system re-authorization every three years.
With respect to security incident reporting and breach notification, FISMA 2014 both substantially augments the obligations of federal agencies for incident handling and reporting and incorporates provisions in official guidance to agencies issued since the 2002 law went into effect. FISMA 2014 provides its own definition of incident: “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.” It also adds an agency obligation to report “major incidents” within seven days of their occurrence to designated Congressional committees, in addition to existing requirements to report incidents to appropriate agency officials. There is no reference in the new law to current reporting timeframes for notifying the U.S. Computer Emergency Readiness Team (US-CERT) of incidents, which in the case of incidents involving highly sensitive data require notification within one hour of discovery. This reporting requirement has been in place since 2007, and seems unlikely to change, even as US-CERT now officially falls within the National Cybersecurity and Communications Integration Center codified in the National Cybersecurity Protection Act of 2014 (one of the other bills enacted with the new FISMA legislation).