Congress passed the 2014 update to the Federal Information Security Management Act (FISMA) last week as the legislative session came to a close. The new law looks to streamline security reporting, increase information sharing on breaches and codify which agencies are responsible for assessing the government's security posture.

"Since the passage of FISMA, agencies have made progress in setting up consistent information security programs across government. Unfortunately, however, they have not kept up with the cyber threat that has grown even faster and larger than Congress could have foreseen in 2002," Sen. Tom Carper, D-Del., wrote in the summary report for the Committee on Homeland Security and Governmental Affairs. The 2014 update moves to "clarify the roles of the OMB and DHS; reduce paperwork and speed up the move toward real-time security; and make important improvements to the way federal data breaches are handled."

A major change for agency workflow eliminates the three-year "Certification and Accreditation" report — a massive undertaking often criticized for creating a lot of paperwork without increasing security.

RELATED

New policy requires DHS to scan civilian systems

Major IT reform to have 'immediate effect' on feds

So long, FISMA report!

Instead, the 2014 FISMA shifts the focus to continuous monitoring. The law mandates that OMB revise reporting guidelines within 180 days to get rid of 'check-the-box' compliance and set up a new standard.

The law also mirrors new responsibilities established in the Federal Information Technology Acquisition Reform Act (FITARA), which also passed the congress this session and requires department-level CIOs to take the lead setting requirements for component agencies. Language within the 2014 FISMA gives department-level CIOs authority over security policy down the line.

The last significant change reiterates OMB's standing to set security policy but establishes DHS as the lead for day-to-day security issues, including assisting agencies after a breach is detected.

Under the revised law, OMB retains its authority over budgets and issuing guidance on IT security policies, while DHS takes over the operational functions.

Carper noted DHS has more than 400 employees "dedicated to the security of government networks," whereas OMB "has the equivalent of only 2-3 full-time employees on the 'management' side overseeing security for the entire federal government and does not possess the technical capabilities of an operational department such as DHS."

A few other new requirements:

■ Agencies must notify congress of security incidents within seven days of detection, including information on threats and threat actors, vulnerabilities and impacts relating to the incident; a risk assessment of affected systems prior to the incident; and detection, response and remediation actions.

■ Agencies must submit an annual report on major incidents to OMB, DHS, congress and Comptroller General (GAO). OMB is charged with compiling the reports and issuing an annual summary to congress.

■ OMB must develop a policy for reporting breaches involving personally identifiable information to those affected, congress and the Federal Information Security Incident Center.

The bill was sent to the White House on Dec. 12 and is awaiting the president's signature.

Share:
In Other News
Load More