Closing the Gap on Cyber Policy by Focusing on FISMA

Yuichiro Chino/Getty Images

When it comes to federal cybersecurity policy, the executive branch is far ahead of Congress.

The White House’s cyber executive order and subsequent policies like the zero-trust strategy have set the course for federal agencies to secure their missions against advanced cyber threats posed by Russia, China, ransomware gangs and other criminal actors. 

But Congress has also been hard at work. Both chambers have been focusing on important incident reporting legislation and on revamping the Federal Information Security Modernization Act of 2014. Currently, two bills are in play to update FISMA—H.R. 6497 and S. 3600.

As these bills are reconciled between the two chambers, Congress has a tremendous opportunity to improve the federal government’s overarching cyber legislation by:

  • Aligning with executive branch priorities and strategies for federal cybersecurity,
  • Focusing on getting to the left of incidents (prevention and detection activities), and
  • Streamlining and improving reporting, auditing, and congressional oversight.

The top area where Congress and the administration need to align is zero-trust implementation, based on the concept, “never trust, always verify.” This means that devices should not be trusted by default, even if they are connected to a permissioned network, such as a corporate local area network, and even if they were previously verified.

While many agencies have developed zero-trust strategies and roadmaps, they will take years to fully implement. Codifying tenets of zero trust into law—like multi-factor authentication, enterprise-wide logging, and endpoint detection and response—will help to ensure the type of sustained focus needed, providing consistency across future administrations. 

Moving left of incidents through enhanced prevention and detection requires a comprehensive threat-hunting focus, robust supply chain risk management, and the bolstering of cyber defense systems at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. 

Best practice has shifted from just vulnerability management to comprehensive threat evaluations. Also, the ubiquitous and continuously evolving nature of our supply chain risks requires enhancing management practices throughout program lifecycles. 

In addition, CISA’s defense systems, particularly EINSTEIN—which detects and blocks cyberattacks from compromising federal agencies—and the Continuous Diagnostics and Mitigation Program, need to keep pace with agencies’ migrations to cloud offerings and zero-trust approaches.

Another area where FISMA reform is critical is in the streamlining of reports and audits. The lengthy narrative reports and audits produced in recent years are filled with dated information and have failed to yield benefits commensurate with the investment. A common set of metrics should be used internally at agencies, by the Office of Management and Budget, the audit community, and Congress. This will result in a better measurement of our security posture and will also free up valuable people and budget to focus on our national security. 

We urge Congress to revisit the suggestions from our October 2021 paper, Eight Recommendations For Congress To Improve Federal Cybersecurity. Some of these recommendations have already been adopted into the pending FISMA legislation; others have yet to be incorporated. As H.R. 6497 moves toward the floor, there are opportunities to incorporate these recommendations into the bill and to work for their inclusion into any negotiated conference bill.

Now is the time to update FISMA and align both our executive and legislative branch cyber policies. We should take full advantage of Congress’ current interest in updating FISMA to push forward as far as we can with changes to improve the government’s ability to deploy and maintain secure systems ready for today’s threats and to increase the effectiveness of oversight activities. 

Dave Powner is the executive director for MITRE’s Center for Data-Driven Policy and former director of IT Management Issues at the Government Accountability Office.

Mark Peters is a cyber policy and strategy specialist at MITRE and a recent Brookings LEGIS congressional fellow for Rep. Elissa Slotkin.