Long-awaited FISMA Reforms May Hit Stumbling Block

The House and Senate have hit a road bump trying to update a 2002 law that collects binders of paper once a year, as a way of monitoring federal computer security.

Folding an overhaul of the Federal Information Security Management Act, or FISMA, into an annual must-pass defense law is one possibility for swift enactment, a congressional aide said. But other sources familiar with negotiations say inclusion of FISMA in the 2015 National Defense Authorization Act is now unlikely. 

“As of now, we’re hearing there are no plans to include FISMA in NDAA," an industry source said on the condition of anonymity. "Historically, the chambers want to keep NDAA clean, and there are provisions in FISMA that are raising concerns.”

The source declined to expand on the sticking points.

For going on half a decade, a bipartisan assortment of lawmakers have dropped what they consider high-priority proposals to mandate near real-time tracking of cyber vulnerabilities. 

Several congressional aides say they still believe FISMA reforms will eventually go to President Barack Obama -- one way or another.

A committee aide said Sen. Tom Carper, D-Del., chairman of the Homeland Security and Governmental Affairs Committee, "is hopeful his cybersecurity legislation will pass before the end of the year. That being said, there’s still much more work to do in this area. He plans to continue to pursue cybersecurity as a top priority."

A House Homeland Security Committee aide said, "As always, we are looking at all options and continue to work with the Senate to get much-needed cybersecurity legislation signed into law." 

FISMA currently requires agencies to check off boxes on paper reports to Congress stating they have complied with security controls -- once a year. As threat levels change every minute, compliance will not keep hackers at bay, critics say. 

A House-passed bill and a similar measure sent to the Senate floor by Carper’s committee would move agencies toward a real-time surveillance environment. 

The House legislation, approved unanimously in April 2013, prescribes steps to "focus on automated and continuous monitoring of agency information systems and regular threat assessments." 

The Senate version, approved in June by the Homeland Security and Governmental Affairs Committee, would put DHS in charge of "compiling and analyzing data on agency information security" and helping agencies install tools "to continuously diagnose and mitigate against cyber threats and vulnerabilities, with or without reimbursement."

In July, the House passed other standalone cyber bills, including measures to expand DHS' computer security workforce, develop new network defense technologies and make permanent a DHS center that shares threat information with critical sectors. 

(Image via Maksim Kabakou/Shutterstock.com)