recommended reading

Long-awaited FISMA Reforms May Hit Stumbling Block

Maksim Kabakou/

The House and Senate have hit a road bump trying to update a 2002 law that collects binders of paper once a year, as a way of monitoring federal computer security.

Folding an overhaul of the Federal Information Security Management Act, or FISMA, into an annual must-pass defense law is one possibility for swift enactment, a congressional aide said. But other sources familiar with negotiations say inclusion of FISMA in the 2015 National Defense Authorization Act is now unlikely. 

“As of now, we’re hearing there are no plans to include FISMA in NDAA," an industry source said on the condition of anonymity. "Historically, the chambers want to keep NDAA clean, and there are provisions in FISMA that are raising concerns.”

The source declined to expand on the sticking points.

For going on half a decade, a bipartisan assortment of lawmakers have dropped what they consider high-priority proposals to mandate near real-time tracking of cyber vulnerabilities. 

Several congressional aides say they still believe FISMA reforms will eventually go to President Barack Obama -- one way or another.

A committee aide said Sen. Tom Carper, D-Del., chairman of the Homeland Security and Governmental Affairs Committee, "is hopeful his cybersecurity legislation will pass before the end of the year. That being said, there’s still much more work to do in this area. He plans to continue to pursue cybersecurity as a top priority."

A House Homeland Security Committee aide said, "As always, we are looking at all options and continue to work with the Senate to get much-needed cybersecurity legislation signed into law." 

FISMA currently requires agencies to check off boxes on paper reports to Congress stating they have complied with security controls -- once a year. As threat levels change every minute, compliance will not keep hackers at bay, critics say. 

A House-passed bill and a similar measure sent to the Senate floor by Carper’s committee would move agencies toward a real-time surveillance environment. 

The House legislation, approved unanimously in April 2013, prescribes steps to "focus on automated and continuous monitoring of agency information systems and regular threat assessments." 

The Senate version, approved in June by the Homeland Security and Governmental Affairs Committee, would put DHS in charge of "compiling and analyzing data on agency information security" and helping agencies install tools "to continuously diagnose and mitigate against cyber threats and vulnerabilities, with or without reimbursement."

In July, the House passed other standalone cyber bills, including measures to expand DHS' computer security workforce, develop new network defense technologies and make permanent a DHS center that shares threat information with critical sectors. 

(Image via Maksim Kabakou/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.