Legislation reflecting efforts by Congressman Jim Langevin (D-RI) to reform the federal government's outdated cybersecurity practices has passed the House with overwhelming bipartisan support. The Federal Information Security Amendments Act of 2012 (H.R. 4257), approved late Thursday by a voice vote, would establish a mechanism for stronger oversight of federal agency practices through a focus on automated and continuous monitoring of cybersecurity threats and the implementation of regular threat assessments. Sponsored by Congressman Darrell Issa (R-CA), who chairs the Oversight and Government Reform Committee, the bill updates the Federal Information Security Management Act (FISMA) of 2002, which required federal agencies to identify and minimize potential risks in information systems for unclassified programs or functions.
"I thank Chairman Issa for his hard work to update the Federal Information Security Management Act, working in a bipartisan way to accomplish an important goal in our cybersecurity policy," said Langevin, who co-founded the bipartisan Congressional Cybersecurity Caucus. "There can be no question that the FISMA reform language considered by the House is both sorely needed and long overdue."
The bill is similar to a proposal that Langevin pushed through the House on a bipartisan basis in 2010 as an amendment to the FY 2011 National Defense Authorization Act. Unfortunately, the Senate stripped the language during Conference negotiations. FISMA reform was also one of the recommendations of the CSIS Commission on Cybersecurity for the 44th Presidency that Langevin co-chaired.
The initial CSIS report noted that while the annual reports currently mandated under FISMA are supposed to give government executives overall insight into security management of their networks, this does not provide the minute-by-minute view into network security that is needed. Langevin's 2010 bill required agencies to undertake automated and continuous monitoring of their systems to ensure compliance and identify deficiencies and potential risks caused by cyber incidents or threats to an agency's information technology assets. These activities were intended to move agencies away from current manually-intensive, compliance-focused, periodic assessments.
Bipartisan commitment to a strong White House Cyber Office:
During House consideration of H.R. 4257, Langevin also received support from Issa to work toward another key part of Langevin's 2010 amendment and the CSIS recommendations by strengthening the cybersecurity office in the White House, while increasing congressional oversight. Langevin's prior legislation would have established a National Office for Cyberspace (NOC) to evaluate and enforce requirements for federal agencies to protect themselves, make certain that the government utilizes the most advanced and secure technology possible, and train a workforce to defend the country against attacks. The Director of the NOC would be appointed by the President, subject to Senate confirmation and Congressional oversight, and have strong budgetary and policy oversight authorities to ensure agencies have the best possible information security budgets.
Excerpt of Langevin and Issa remarks:
"Such an office has been recommended by the Obama Administration's 60-Day Cyberspace Policy Review, public-private sector working groups such as the CSIS Commission on Cybersecurity for the 44th Presidency and the GAO, as a response to security deficiencies throughout the federal government," said Langevin, addressing Issa. "While I applaud my friend for delivering on the need for FISMA reform, I would ask him if he gave thought to such organizational changes within the executive branch, and in particular, an organization like a National Office for Cyberspace, during the drafting of this legislation."
"I share with you that your suggestions on how we can in fact find single point accountability in future legislation, in concert with this administration, is essential," said Issa in response. "I look forward to working with you on exactly that. I know of no other partner I could have on the other side of the aisle that is more prepared to do it."