Modernizing FISMA. Again.

On Oct. 2, the Senate Homeland Security and Governmental Affairs Committee unanimously passed the Federal Information Security Modernization Act (FISMA) of 2021 (S.2902). This bill strengthens cybersecurity across the federal government and improves how agencies, the Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget collaborate on federal network cyber incident reporting. 

Chairman Gary Peters’ and Ranking Member Rob Portman’s bipartisan leadership on FISMA reform comes at a critical time for the federal government, which is still implementing controls from major cyberattacks of the past year, and managing the ever-evolving threats to federal IT systems. Although these reforms will not stop today’s most dangerous cyberattacks on their own, modernizing FISMA will help the federal government recognize that risk management is at the heart of modern cybersecurity.  

Leading up to FISMA 2021

The SolarWinds cyber espionage attack and breach focused media headlines and policy discussions on information and supply chain security practices. The cyberattack affected numerous private companies and at least nine federal agencies. In February, Congress held hearings with SolarWinds executives and other technology company leaders, and the Biden administration issued a May 2021 Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity,” which included several ambitious deadlines to strengthen the cybersecurity of federal networks. 

This update to FISMA is an important first step toward solving supply chain security problems exposed by SolarWinds rather than simply identifying them. 

FISMA 2021 has the potential to address two key weaknesses of the existing FISMA law. FISMA today only uses qualitative measures to trigger federal action and employs static reporting to demonstrate the health of IT systems. With the emergence of new technologies, security ratings and real-time monitoring capabilities, FISMA 2021 would begin to quantitatively assess cyber incidents and continuously monitor systems in real time. 

Quantifying the Significance of Cyber Incidents

Federal agencies are required to report cyber incidents to the government under FISMA, but no current standard exists to quantify a “significant cyber incident” as identified by Presidential Policy Directive-21. 

Today, a cyber incident’s significance is defined qualitatively under FISMA, and largely left to an agency’s interpretation of the statute. This is why, according to news reports, only nine federal agencies were directly breached as part of the SolarWinds attack, even though SolarWinds was known to be present in more than nine agencies and as many as 18,000 private-sector companies. 

Instead of leaving the definition of a significant cyber incident solely to subjective assessment, FISMA 2021 adds qualitative metrics to their assessments, opening the door to broaden the interpretation of the statute (i.e., to include a cyber espionage campaign, like SolarWinds). With the technology available today able to quantify risk, like machine learning and security ratings, agencies can now meet this problem quickly, objectively and with data. 

Ongoing and Continuous Monitoring 

The current FISMA requirements include continuous monitoring of federal IT systems, but agencies currently lack the capability to provide real-time monitoring and submit only quarterly reports of their cyber health. Under FISMA 2021, CISA and OMB would perform agency system risk assessments on a continuing and ongoing basis as part of a larger risk management program. Real-time continuous monitoring would enable both OMB and Congress to provide stronger oversight over agencies in defense of IT systems. 

FISMA reform will not stop cyberattacks or prevent ransomware. Today’s cyber threats cannot be stopped entirely, but this bill will modernize the federal government’s approach to cybersecurity. By quantifying and continuously monitoring the risks to federal IT systems, FISMA will finally recognize cybersecurity for what it really is: risk management.  

Devin Lynch is senior director of policy and government affairs at SecurityScorecard.