Top cyber officials told lawmakers weighing reforms to the Federal Information Security Management Act that updates need to take into account an increased threat surface that comes with technological advances and focus on a whole-of-government approach that also draws on lessons learned in the private sector.
At a Tuesday hearing before the House Oversight and Reform Committee on FISMA reform, Chairwoman Carolyn Maloney (D-N.Y.) and Ranking Member James Comer (R-Ky.) released new discussion draft legislation, the Federal Information Security Modernization Act of 2022.
“It’s no longer enough to guard our networks at their perimeters, as was the focus in the past,” Maloney said. “Today, we must also guard within the perimeter, continuously monitoring for the smallest trace of abnormal activity that might signal an intruder. Modernization cannot wait, because our adversaries certainly won’t.”
Government Accountability Office Director of Information Technology and Cybersecurity Jennifer Franks told lawmakers that in fiscal year 2020 the 23 civilian CFO Act agencies “reported progress toward meeting federal cybersecurity targets; nevertheless, a majority of the agencies reported not fully meeting the targets.” Eighteen agencies reported meeting targets related to intrusion detection and prevention, while 19 agencies reported meeting the target related to automated access management. Recent GAO reviews have specifically identified cybersecurity weaknesses at agencies including the Internal Revenue Service (IRS), Department of Housing and Urban Development (HUD), Defense Department, and Centers for Disease Control and Prevention.
Officials such as CIOs and CISOs at all 24 CFO Act agencies credited FISMA with helping improve their security posture, including through security mandates and helping them justify cybersecurity requests to management (though officials at 10 agencies said a lack of resources has hindered their ability to implement FISMA requirements).
“Agency officials also provided a number of suggestions for improving the effectiveness of the FISMA metrics, annual evaluations, and reporting process,” Franks said, including “updating the FISMA metrics and keeping them current to enhance their effectiveness,” doing FISMA audits focused “less on compliance with the metrics and more on other factors such as risk management,” including “more automation instead of manual data calls” in the reporting process, “making changes to the IG evaluation process and the maturity ratings,” and “lessening the frequency of FISMA-mandated audits to reduce the burden of the annual review cycle.”
“Until federal agencies are able to fully implement federal cybersecurity requirements, their systems and data will remain at heightened risk,” she noted.
The Federal Information Security Management Act of 2002 and the Federal Information Security Modernization Act of 2014 “have been instrumental in driving creation of risk management programs and the implementation of cybersecurity capabilities at federal agencies,” former Federal Chief Information Security Officer Grant Schneider, now senior director of cybersecurity services at Venable, said in prepared testimony, but “FISMA must evolve just as the threats and the nature of our Information Technology environments continue to evolve.”
Digital enhancements implemented by government agencies and the private sector that “increase productivity, increase convenience, and increase access to services” also increase the threat surface “as organizations interconnect systems and move more sensitive information and transactions online,” he noted. And while a whole-of-government approach is critical to confront today’s cyber threats, including “diplomatic efforts and offensive cyber operations to deter and disrupt nation state and criminal malicious cyber actors,” the “primary line of defense is defensive in nature.”
Schneider encouraged that FISMA updates clarify key federal cybersecurity roles and responsibilities, codify the role of federal CISO serving as deputy national cyber director with approval authority over CISA and agency cybersecurity budgets, require agencies to have greater situational awareness of their technology environments through assessments and inspections, “hold OMB accountable for maintaining the definition of a major incident to ensure the right level of information is being reported to Congress,” and “require greater alignment of core cybersecurity requirements” based on NIST guidance.
Former FBI Chief Information Officer Gordon Bitko, now senior VP of policy, public sector, at the Information Technology Industry Council (ITI), stressed that the SolarWinds cyber attack and current Log4j vulnerability “bookend multiple significant cyber attacks on critical industries, service providers, the defense industrial base, and governments around the world,” and “federal cybersecurity cannot be something that we only pay attention to after the highest-profile failures.”
“Encouragingly, the federal government’s response to the Log4j vulnerability so far has shown evidence of improvement, as compared to the response to SolarWinds; particularly with more rapid and effective sharing of information and shorter timelines for mitigation,” he said, but many of federal agencies’ current struggles with cybersecurity can be linked to FISMA’s “focus on inputs and compliance with planning requirements and process rather than outcomes,” “requirements that create duplication of effort across agencies,” and “lack of comprehensive real-time information” collected across agencies.
“Any modernized federal cybersecurity legislation must be vastly more adaptable, facilitate better collaboration and security across government, all while enabling standardized and high-quality ongoing assessments of agency cyber risk management resulting in government agencies that are constantly aware of and accounting for cyber risks at all levels and in real-time,” Bitko continued. “That awareness and better collaboration and communication, in turn, will enable federal network defenders and CISA to have a much more comprehensive view of the federal IT infrastructure as a whole, thereby enabling more cohesive and better defended networks and systems.”
Bitko recommended that FISMA reforms promote a risk-based approach with a focus on outcomes, establish formal processes to promote the reciprocity of security reviews across government, ensure additional alignment between security requirements for national security systems and non-national security systems, ensure consistency through a holistic approach to updating FISMA in line with other federal cybersecurity frameworks and best practices of private industry, drive automation of assessment processes including standardized information-sharing procedures across government, and improve audits of FISMA compliance through widespread and continuous monitoring.
Renee Wynn, former chief information officer at NASA, urged lawmakers to “continue a risk-based approach that emphasizes all types of technology: Information Technology (IT), Operational Technology (OT) and the fastest growing segment, Internet of Things (IoT),” as “all these elements of technology are used by the federal government to improve mission effectiveness, efficiencies, and the customer experience.”
Factors to FISMA success include “establishing a risk framework, adopting metrics aligned with that framework and implementing culture changes,” she said, along with the Continuous Diagnostic and Mitigation (CDM) program that helps agencies improve their cybersecurity posture and “gave a first peek at what was truly happening on federal government networks.”
FISMA changes “should include provisions on addressing the cyber risks posed through the information and communications technology (ICT) supply chain used by the federal government,” Wynn said, and incorporate “technological advances provides opportunities for government operations to be more effective and efficient.”
“The next iteration of FISMA must mandate that the U.S. federal government use secure IoT, especially for medical purposes,” she added, emphasizing that “these reports should not be made public because the more nation-state threat actors know about federal operations, the operations become more vulnerable.” Congress should also strive toward “ensuring a culture attentive to cybersecurity risks” through not just legislation but when questioning agency leaders at hearings.
Former chief of the Office of Management and Budget cybersecurity team Ross Nodurft, now executive director at the Alliance for Digital Innovation, said the proposed FISMA legislation recently approved in committee in the Senate “contains several important changes, but could be more comprehensive in its handling of cybersecurity as a holistic public-sector priority” and Congress should “also look to update other key laws dealing with government information technology policy, acquisition, and governance.”
FISMA reform should update and align cybersecurity roles and authorities; address incident response, breach notification, and vulnerability management; reinforce the government’s shift to commercial technologies, use of automation and meaningful reciprocity; effectively budget for cybersecurity and invest in risk management; modernize and standardize cybersecurity performance metrics and measurements,” Nodurft said.
“As Congress considers defining major incidents or codifying vulnerability response policies, any legislation should be mindful of the dynamic nature of responding to cybersecurity challenges facing government networks. If Congress is overly prescriptive in its definition of an incident, it runs the risk of receiving so many notifications that the incidents which are truly severe are missed or effectively drowned out due to the frequency of reporting,” he said.
“Along the same lines, codifying the need for vulnerability management programs is important. However, being prescriptive about the ways to prevent various vulnerabilities may create overly burdensome processes that could bog down agency response efforts to mitigate and eventually patch significant vulnerabilities. Language that reflects today’s technology runs the risk of becoming obsolete when it comes to the systems of tomorrow.”