Update to FISMA signed into law

After several Congressional sessions that saw proposed information security legislation fail to pass, within the span of 10 days in December both houses of Congress passed, and the president signed into law, the Federal Information Security Modernization Act of 2014. This act, which provides the first comprehensive update to federal security regulations since 2002, is touted by legislators and the media as a significant and long-overdue effort to bring federal cybersecurity practice into the 21st century, but upon initial inspection appears to be more of an incremental improvement rather than a sweeping change. The key provisions in the law – which handily condenses to the same FISMA acronym as its predecessor, the Federal Information Security Management Act of 2002 – serve to codify changes in federal policy and security management guidance to agencies that had previously been made through official memoranda issued by the Office of Management and Budget (OMB).

These changes to FISMA 2002 written into FISMA 2014 include:

  • Formal describing the roles and responsibilities for federal security management oversight between OMB, the Department of Homeland Security (DHS), and several Congressional committees
  • A shift in emphasis to continuous monitoring (termed “Continuous Diagnosis and Mitigation” to align with a DHS program of the same name) instead of the prior checklist-based documentation and reporting used since 2002
  • The addition of mandatory security incident and breach reporting requirements that require agency to notify Congress of breaches and major security incidents

The new FISMA legislation remains limited in its applicability to federal executive branch agencies, although Congress also passed separate bills to codify the cybersecurity framework developed by the National Institute of Standards and Technology (NIST) as directed under a February 2013 Executive Order on critical infrastructure cybersecurity and to formalize the DHS National Cybersecurity and Communications Integration Center (NCCIC) as the government nexus for public and private sector information sharing about cybersecurity threats and incidents. The bulk of the FISMA 2014 legislation mirrors the text of the 2002 law and of the Government Information Security Reform Act of 2000, at least in terms of the primary obligations it imposes on federal executive agencies and their information security management programs.