In the wake of several major cyberattacks launched over the past year, and the ongoing scramble to protect networks from recently discovered log4j vulnerabilities, the U.S. Congress sees an opportunity to modernize the Federal Information Security Management Act (FISMA). Although FISMA reforms were omitted from the National Defense Authorization Act signed into law last month, bipartisan lawmakers are currently pushing separate reform bills toward enactment this year.
What is FISMA?
FISMA is a U.S. federal law that mandates federal agencies, along with supporting state agencies and contracted businesses, to develop, document and implement information security programs. FISMA compliance requires maintaining an up-to-date information system inventory, categorizing risk across system assets and data, developing a system security plan and implementing security controls, among numerous other provisions. The law, which was last amended in 2014 to include additional reporting and assessment mandates, is considered ripe for reform to stay in step with advancing technology and emergent threats.
Pivoting From Compliance to Outcomes
The existing FISMA framework has come under criticism for mandating overly burdensome reporting requirements, duplicating effort among agencies and emphasizing compliance over outcomes. Reforms under discussion in Congress seek to address these deficiencies by streamlining bureaucratic processes and prioritizing risk management instead of compliance. Proposed updates include:
- Promoting a risk-based approach: The Cybersecurity and Infrastructure Security Agency (CISA) and Office of Management and Budget (OMB) would perform continuous risk assessments of agency systems, enabling agencies to prioritize their defenses using real-time information. These assessments would be supplemented by penetration testing mandates, vulnerability disclosure programs and an accelerated push toward zero trust architectures.
- Clarifying and codifying federal cybersecurity roles: Responsibilities shared among the OMB, CISA and the National Cyber Director would be clearly delineated.
- Expanding inventory scope: Agencies would be required to maintain an inventory of all internet-accessible devices and, to protect against supply chain vulnerabilities.
- Expediting and simplifying reporting requirements: The timeframe for reporting major cybersecurity incidents to Congress would drop from seven days to 72 hours, while the frequency of FISMA-mandated audits would also be reduced. These changes align with the objective of shifting resources toward responding to day-to-day incidents and away from complying with point-in-time audits.
- Implement shared services: CISA would establish pilot programs to provide agencies with a shared security operations center and endpoint detection and response tools.
Although momentum appears to favor FISMA reform in 2022, congressional priorities can shift rapidly. But there’s no need to wait for an act of Congress to modernize your cybersecurity defenses. With our comprehensive cybersecurity services and extensive knowledge of the evolving cyber landscape, MBL Technologies can help you prepare for tomorrow’s threats today.