House appetite growing for cybersecurity, FISMA reform

No sooner did the Federal Information Security Amendment (FISA) Act (H.R. 4900) clear the House Oversight and Government Reform Committee’s Subcommittee on Government Management, Organization and Procurement, another cybersecurity bill was introduced and referred to the Committee. Among other provisions FISA would require agencies to begin continuous information systems security monitoring to ensure compliance with FISMA and provide more operational awareness of threats and vulnerabilities, and would create a Federal Cybersecurity Practice Board to establish government-wide information security processes and oversee agencies’ implementation of those standard defenses. In contrast to this oversight, the newly introduced Executive Cyberspace Authorities Act (H.R. 5247) would not only require agencies to demonstrate and report on their compliance with FISMA, but would penalize agencies (in the form of withholding budget approval) whose efforts to protect their information technology are deemed insufficient by the Director of the National Cyberspace Office.

In parallel to these legislative activities, OMB and the Department of Homeland Security are moving ahead with new FISMA reporting requirements, under which agencies must start using the online Cyberscope reporting system by November of this year. It’s not entirely clear how monthly reporting of summary data similar to what agencies currently report would produce the sort of “continuous monitoring” described in Appendix G of the revised NIST Special Publication 800-37 and also emphasized in the new draft version of Special Publication 800-53A released last week, but any movement away from annual (or tri-annual, if you consider system accreditation) point-in-time control documentation would be an improvement. It also seems feasible that OMB would get better, not just more frequent, security reports if the multiple overlapping bills currently under consideration are combined and reconciled with new proposed metrics that emphasize real-time monitoring of security configuration, remote access, incidents, and other operational characteristics.