Federal cybersecurity laws have not been significantly updated since 2014, despite the ever-changing threat landscape.
Recent cyber attacks have allowed foreign adversaries and cybercriminals to access federal networks and impact national security. A recently disclosed breach of Microsoft’s cloud systems, which was discovered in June, enabled Chinese hackers to access government email accounts. Last month, several federal agencies also fell victim to cyber attacks exploiting a security vulnerability in a file transfer tool called MOVEit.
A network breach that was first reported in 2020 of software provider SolarWinds compromised sensitive information at several federal agencies, including the Department of Homeland Security and the Department of Defense. In 2021, vulnerabilities in the Microsoft Exchange Server allowed the Chinese government to access the networks of thousands of organizations around the world – including U.S. government agencies.
This week, U.S. Senators Gary Peters (D-MI), Chairman of the Homeland Security and Governmental Affairs Committee, and Josh Hawley (R-MO), along with U.S. Representatives James Comer (R-KY) and Jamie Raskin (D-MD), Chairman and Ranking Member of the Committee on Oversight and Accountability, and Nancy Mace (R-SC) and Gerald E. Connolly (D-VA), Chairwoman and Ranking Member of the Subcommittee on Cybersecurity, Information Technology, and Government Innovation, introduced bicameral, bipartisan legislation to protect federal information technology systems.
The Federal Information Security Modernization Act (FISMA) of 2023 would improve coordination across the federal government to help civilian federal agencies and contractors protect their networks against cybersecurity threats. It also clarifies roles and responsibilities for key agencies that lead federal information security policy and operations.
The bipartisan legislation would overhaul and update the Federal Information Security Modernization Act of 2014 to support more effective cybersecurity practices throughout the federal government and improve coordination between the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the National Cyber Director, and other federal agencies and contractors when addressing online threats. The bill requires civilian agencies to report all cyber attacks to CISA and major incidents to Congress, and provides additional authorities to CISA for responding to incidents and breaches on federal civilian networks. The legislation also codifies aspects of President Biden’s Executive Order on Improving the Nation’s Cybersecurity to enforce higher level security protections for federal information systems and the sensitive data they often store. Finally, the bill requires OMB to develop guidance for federal agencies to use so they can efficiently allocate the cybersecurity resources they need to protect their networks.
“Foreign adversaries and criminal hackers are relentlessly targeting federal networks to steal sensitive data, and we must modernize federal cybersecurity standards to prevent attacks that can compromise our national security,” said Senate Homeland Security and Governmental Affairs Committee Chairman Peters. “This bipartisan bill will help federal agencies prevent cyber-attacks and quickly address network breaches.”
“I am encouraged Congress is taking bipartisan action to improve and modernize the cybersecurity of the federal government,” said Senate Homeland Security and Governmental Affairs Committee Member Hawley. “As cyberattacks continue to expose federal technology vulnerabilities, particularly from foreign adversaries like the CCP, it is imperative we bolster our cybersecurity networks and defend our national security.”
“It has been almost a decade since Congress last addressed the structure, framework, and evolution of federal cybersecurity in a comprehensive manner. And in that time, we have seen criminal organizations, nation states, and all manner of enemies unleash a nonstop barrage of cyber attacks against American companies and federal agencies,” said House Oversight Committee Chairman Comer. “The bipartisan, bicameral Federal Information Security Modernization Act of 2023 reflects years of diligent work between the House Oversight Committee and Senate Homeland Security and Governmental Affairs Committee to ensure the authorities and reporting responsibilities of our nation’s cybersecurity leadership is strengthened. Under this bill’s reforms, the federal government’s cyber defenses will be modernized as technology evolves and threats become more sophisticated, persistent, and malicious.”
“The security of the federal government’s information technology systems, networks, and data is essential to serving the American people effectively. The bipartisan introduction of FISMA 2023 builds on years of important work by Committee Democrats to strengthen our federal networks against attacks by China, Russia, and other nefarious actors bent on destroying American democracy and prosperity,” said House Oversight Committee Ranking Member Raskin. “Among many notable advances of this bill, I’m especially proud that it will also ensure robust protections of our civil rights and civil liberties by requiring dedicated Chief Privacy Officers at federal agencies. I look forward to getting this bill to the President’s desk as soon as possible.”
“The cybersecurity of our federal information systems is a critical issue, not just to the Lowcountry but to all Americans,” said Cybersecurity, Information Technology, and Government Innovation Subcommittee Chairwoman Mace. “Criminals and nation states have upped their game to hack into our government’s computers and steal our personal data. It’s time the federal government loses the checkerboard and starts playing chess. The Federal Information Security Modernization Act of 2023 provides the federal government with the tools and guidance it needs to thwart such attacks. The bill promotes security principles and programs such as vulnerability disclosure programs, penetration testing, zero trust architectures, and the use of AI in automation. There is a role for all of us to play in protecting our federal cybersecurity posture, and our national security depends on it.”
“From the OPM data breach in 2015 to the SolarWinds cyberattack in 2020, it’s clear that the federal government has more work to do to ensure the security of federal networks and the safety of sensitive federal data,” said Cybersecurity, Information Technology, and Government Innovation Subcommittee Ranking Member Connolly. “This legislation will bring us a giant step closer to realizing that goal, including by codifying the role of the Federal Chief Information Security Officer at OMB. I’m proud to join my colleagues in the House and Senate to introduce it today.”