recommended reading

Long-awaited FISMA Reforms May Hit Stumbling Block

Maksim Kabakou/

The House and Senate have hit a road bump trying to update a 2002 law that collects binders of paper once a year, as a way of monitoring federal computer security.

Folding an overhaul of the Federal Information Security Management Act, or FISMA, into an annual must-pass defense law is one possibility for swift enactment, a congressional aide said. But other sources familiar with negotiations say inclusion of FISMA in the 2015 National Defense Authorization Act is now unlikely. 

“As of now, we’re hearing there are no plans to include FISMA in NDAA," an industry source said on the condition of anonymity. "Historically, the chambers want to keep NDAA clean, and there are provisions in FISMA that are raising concerns.”

The source declined to expand on the sticking points.

For going on half a decade, a bipartisan assortment of lawmakers have dropped what they consider high-priority proposals to mandate near real-time tracking of cyber vulnerabilities. 

Several congressional aides say they still believe FISMA reforms will eventually go to President Barack Obama -- one way or another.

A committee aide said Sen. Tom Carper, D-Del., chairman of the Homeland Security and Governmental Affairs Committee, "is hopeful his cybersecurity legislation will pass before the end of the year. That being said, there’s still much more work to do in this area. He plans to continue to pursue cybersecurity as a top priority."

A House Homeland Security Committee aide said, "As always, we are looking at all options and continue to work with the Senate to get much-needed cybersecurity legislation signed into law." 

FISMA currently requires agencies to check off boxes on paper reports to Congress stating they have complied with security controls -- once a year. As threat levels change every minute, compliance will not keep hackers at bay, critics say. 

A House-passed bill and a similar measure sent to the Senate floor by Carper’s committee would move agencies toward a real-time surveillance environment. 

The House legislation, approved unanimously in April 2013, prescribes steps to "focus on automated and continuous monitoring of agency information systems and regular threat assessments." 

The Senate version, approved in June by the Homeland Security and Governmental Affairs Committee, would put DHS in charge of "compiling and analyzing data on agency information security" and helping agencies install tools "to continuously diagnose and mitigate against cyber threats and vulnerabilities, with or without reimbursement."

In July, the House passed other standalone cyber bills, including measures to expand DHS' computer security workforce, develop new network defense technologies and make permanent a DHS center that shares threat information with critical sectors. 

(Image via Maksim Kabakou/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.