FISMA Update Excluded From Senate NDAA Amendment

Legislation seeking to redefine protocols for federal agencies to report cybersecurity incidents and employ risk-based budgeting may be grounded after initial Senate deliberations on the National Defense Authorization Act.

The changes are aimed at the Federal Information Security Modernization Act, which was last updated in 2014. They were part of an amendment filed for attachment to the NDAA by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio—the chair and ranking member of the Senate Homeland Security and Governmental Affairs Committee. But the amendment, which also included incident reporting requirements for private-sector entities, was not part of a substitute amendment Senate Armed Services Committee Chairman Jack Reed, D-R.I. offered Friday after the Senate began consideration of the House-passed NDAA on Thursday. 

Other high-profile cybersecurity provisions to identify systemically important critical infrastructure, or SICI, and to establish a Joint Collaborative Environment at the Cybersecurity and Infrastructure Security Agency, were also excluded from Reed’s proposal. But unlike those provisions, there is no counterpart for the FISMA update in the House NDAA that would force senators to reconsider when the chambers form a conference committee to reconcile their respective versions of the bill.

“They’re running out of runway for FISMA,” a House aide told Nextgov. “Every day that ticks by now, it’s not going to happen.” Whereas with provisions that make it to the conference, House negotiators might only need to pull one or two key senators over to their side, the aide said.

Peters did succeed in attaching an amendment to Reed’s proposal that would require the secretary of Defense to consult with the director of the Cybersecurity and Infrastructure Security Agency and the national cyber director in designing a pilot program for the department to collaborate with the private sector. Peters’ Senate Amendment 4405 was included Friday in a manager’s package modifying Reed’s substitute amendment, according to a Senate Armed Services Committee aide. 

The amendment relates to concerns the White House raised Wednesday with Sec. 1605 of the Senate proposal. 

“Many of the authorized activities would be achieved more effectively through existing federal activities, such as the Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative and several Federal Bureau of Investigation and other law enforcement programs,” reads a statement of policy the administration released on the Senate’s NDAA from the Office of Management and Budget Wednesday. “Establishing a separate pilot program led by DOD would further complicate federal efforts to collaborate with the private sector, including 'internet ecosystem companies,' in a unified, coordinated manner.”

The White House expressed general support for the NDAA moving forward but opposed measures the Senate included that it said would limit the government’s ability to address threats on the horizon. The administration didn’t want to be prevented from decommissioning battleships or forced to maintain certain inventory levels for tactical airlift and fighter aircraft systems, for example.

“Such provisions would limit the Department’s flexibility to prioritize resource investment, delay modernization of capabilities, and impede implementation of the emergent National Defense Strategy,” the White House release said. 

On Thursday, the White House also released the President’s Management Agenda, which emphasizes making way for more cybersecurity and modernization.

The Senate is expected to resume consideration of the NDAA at 3 p.m. on Nov. 29.