The committee chair highlighted a need for incident reporting and other requirements for federal contractors.
Invoking cybersecurity threats posed by foreign adversaries, the House Oversight and Reform Committee unanimously approved efforts to create a program for training the government’s contracting officials and to strengthen the effectiveness of the Federal Information Security Modernization Act.
“Our complex global supply chains span continents, and are continuously targeted by bad actors looking for a backdoor into federal systems,” Committee Chairwoman Carolyn Maloney, D-N.Y., said during a markup session Wednesday. “To properly guard against these attacks, we must systematically equip our federal acquisition officials with the knowledge and tools they need to maximize their unique positions in our cybersecurity defenses.”
The Supply Chain Security Training Act would task the General Services Administration, in collaboration with the National Institute of Standards and Technology, with creating the training program that would then be implemented through the Office of Management and Budget.
Lawmakers view it as a natural complement to the FISMA update which would also extend the duration of the Federal Acquisition Security Council. The FASC, an interagency group led by GSA and OMB, has the power to recommend exclusion and removal orders of technology it determines to be too risky.
Many of the provisions in the bill to update FISMA echo those called for in a May executive order on improving the nation’s cybersecurity, which was issued in response to the breach of government contractor SolarWinds. Suspected Russian hackers penetrated the IT management firm’s operations and used their delivery mechanism to widely distribute a trojanized update to thousands of customers.
The event has focused government officials on the need to clear up confusion while remediating an attack—some agencies declared it a major incident while others did not, for example—and control the security of agencies’ information technology vendors.
“The SolarWinds investigation highlighted how critical it is to have clear incident reporting requirements with well defined roles and responsibilities,” Maloney said. “This brings new clarity to these areas which will save valuable response time during an attack. The bill also takes steps to increase supply chain security and transparency by requiring federal contractors to immediately report an incident impacting federal data or information systems.”
Maloney also noted provisions that would require agencies to log events and keep detailed inventories of their systems and related software components.
“With these inventories, we’ll be able to identify and mitigate vulnerabilities faster to better protect the federal government's mission and assets in a crisis, like the discovery of the log4j [vulnerabilities],” she said. “Inventories like this will be game changers.”
Speaking in favor of the Supply Chain Training Act, Rep. Scott Franklin, R-Fla., highlighted the role of the FASC in instituting the training program.
Federal CISO and current chair of the council Chris DeRusha has said he doesn’t view the FASC as the be-all-end-all for supply chain security. But Franklin said the FISMA bill recognizes a “central role” for the FASC in federal cybersecurity and that the training program “will prepare federal personnel to identify and mitigate security risks throughout the acquisition lifecycle of products and services, including information and communications technology. It “should help our federal agencies avoid purchasing software products vulnerable to malware,” he said.
Committee ranking member James Comer, R-Ky., speaking in support of the FISMA update, highlighted its codification of the federal chief information security officer’s role in statute as it relates to that of the national cyber director, who would be the point person for communicating with Congress under the legislation.
That’s one area where similar legislation to update FISMA in the Senate differs, but lawmakers in both chambers have committed to working together to resolve issues and pass the bill. The Senate bill, which doesn’t mention the federal CISO role, cleared committee in October.