Lawmakers Propose Changes to FISMA
The House Oversight and Reform Committee is seeking to reform the Federal Information Security Modernization Act to assign clear roles and responsibilities for federal cybersecurity leadership. The draft reform bill for FISMA was released on Tuesday.
Committee Chairwoman Carolyn Maloney said during a hearing that reforming FISMA will ensure that intellectual property, sensitive data, essential networks and other elements relevant to the country’s economy and national security are protected. She added that the amendments are similar to a piece of legislation released earlier in 2021 that would update how agencies prepare for and respond to cyberattacks.
According to the draft amendment, the Office of Management and Budget will be tasked with developing federal cybersecurity policy and oversight responsibilities. The Cybersecurity and Infrastructure Security Agency will be responsible for operational coordination responsibilities, while the national cyber director will oversee cybersecurity strategy responsibilities. If approved, the amendment will be the first update to FISMA since 2014, Federal News Network reported Tuesday.
In addition to the role assignments, the draft would codify the federal chief information security officer’s office role into law. Other provisions in the bill include reducing reporting requirements for agencies, delegating risk assessments to CISA and requiring agencies to maintain an inventory of software bills of material as part of supply chain risk management programs.
Lawmakers said the bill would help agencies improve their security visibility and adopt zero trust architectures. However, some organizations asked legislators to practice balance in their proposals.
Gordon Bitko, senior vice president of policy at the Information Technology Industry Council, said while strong cybersecurity measures are important, agencies must also have the flexibility to deal with their own risks and understand their own landscape. Ross Nodurft, executive director of the Alliance for Digital Innovation, argued that SBOMs should be used in a targeted, risk-based manner to avoid overburdening industry providers.
Tags: Carolyn Maloney cybersecurity Cybersecurity and Infrastructure Security Agency Federal Information Security Modernization Act Federal News Network Gordon Bitko Grant Schneider Jennifer Franks Office of Management and Budget Ross Nodurft