Modernizing FISMA. Again.

On October 2, the Senate Committee on Government Affairs and National Security unanimously approved the Federal Information Security Modernization Law (FISMA) of 2021 (S.2902). This bill strengthens cybersecurity throughout the federal government and improves the way agencies, the Cybersecurity and Infrastructure Security Agency, and the Office of Management and Budget collaborate in reporting federal network cyber incidents.

The bipartisan leadership of President Gary Peters and senior fellow Rob Portman on FISMA reform comes at a critical time for the federal government, which is still implementing controls from last year’s major cyber attacks and managing the ever-evolving threats to federal IT systems. While these reforms alone will not stop today’s most dangerous cyber attacks, modernizing FISMA will help the federal government recognize that risk management is at the heart of modern cybersecurity.

Before FISMA 2021

The SolarWinds cyber espionage attack and breach targeted media headlines and policy discussions about information and supply chain security practices. The affected cyber attack thousands of private companies and at least nine federal agencies. In February, Congress held audiences with SolarWinds executives and other technology company leaders, and the Biden management issued Executive Order 14028 May 2021, “Executive Order on Improving the Nation’s Cybersecurity”, which included several ambitious deadlines to strengthen the cybersecurity of federal networks.

This FISMA update is an important first step in resolving supply chain security issues exposed by SolarWinds rather than simply identifying them.

FISMA 2021 has the potential to address two key weaknesses of the existing FISMA law. Currently, FISMA only uses qualitative measures to trigger federal actions and uses static reports to demonstrate the health of IT systems. With the emergence of new technologies, security ratings, and real-time monitoring capabilities, FISMA 2021 would begin to quantitatively assess cyber incidents and continuously monitor systems in real time.

Quantifying the significance of cyber incidents

Federal agencies are required to report cyber incidents to the government under FISMA, but there is no current standard for quantifying a “significant cyber incident” as identified by Presidential Policy Directive-21.

Today, the significance of a cyber incident is defined qualitatively according to FISMA, and is largely left to an agency’s interpretation of the law. This is the reason why, according to news reports, only nine federal agencies were directly violated as part of the SolarWinds attack, even though SolarWinds was known to be present in more than nine agencies and up to 18,000 private sector companies.

Rather than leaving the definition of a significant cyber incident solely to a subjective assessment, FISMA 2021 adds qualitative metrics to its assessments, opening the door to broaden the interpretation of the statute (i.e., to include a cyber espionage campaign, such as SolarWinds). With today’s technology capable of quantifying risk, such as machine learning and security ratings, agencies can now solve this problem quickly, objectively, and with data.

Continuous and continuous monitoring

Current FISMA requirements include continuous monitoring of federal IT systems, but agencies currently lack the ability to provide real-time monitoring and submit only quarterly reports of their cyber health. Under FISMA 2021, CISA and OMB would conduct risk assessments of the agency’s system on an ongoing and ongoing basis as part of a broader risk management program. Continuous real-time monitoring would allow both OMB and Congress to provide stronger oversight over agencies defending IT systems.

FISMA reform will not stop cyberattacks or prevent ransomware. Today’s cyber threats cannot be completely stopped, but this bill will modernize the federal government’s approach to cyber security. By continuously quantifying and monitoring risks to federal IT systems, FISMA will finally recognize cybersecurity for what it really is: risk management.

Devin Lynch is Senior Director of Policy and Government Affairs at SecurityScorecard.

Leave a Comment