FISMA, TSA IT measures on way to president
The FISMA overhaul incorporates the existing division of labor on protecting federal networks, while the TSA measure creates new levels of oversight for IT acquisition at the agency.
After a year of relative inactivity, lawmakers passed a host of bills in the closing days of the 113th Congress, including a pair that will affect cybersecurity on federal networks and IT acquisition at the Transportation Security Administration.
A bill updating the Federal Information Security Management Act is headed to President Barack Obama's desk for signing. The Federal Information Security Modernization Act incorporates the existing division of labor on protecting federal networks, with the Office of Management and Budget responsible for policy and the Department of Homeland Security focusing on implementation.
The bill also requires OMB and DHS to report on adoption of continuous monitoring technologies, including commercial products offered under the Continuous Diagnostics and Mitigation program run by DHS.
Much of the bill, which both chambers passed by voice vote, codifies existing administration policy and makes it difficult for subsequent administrations to abandon it or change direction.
The bill also obliges agencies to report to Congress about major information breaches on federal and contractor systems, and it tweaks governance authorities to require component CIOs carry out FISMA work under the direction of the top agency CIO or other senior official to whom responsibility is delegated.
"This bill will modernize our outdated federal network security laws, provide the tools and authorities needed to improve security at our federal agencies, and increase transparency and accountability for data breaches at federal agencies," said Sen. Tom Carper (D-Del.), a sponsor of the bill and chairman of the Senate Homeland Security and Governmental Affairs Committee. "On top of that, it allows taxpayer dollars to be better spent on improving network security by reducing unnecessary and burdensome paper-based reporting."
Sen. Tom Coburn (R-Okla.), ranking member of the committee and a co-sponsor of the bill, said, "For too long, the federal government has struggled with poor cybersecurity practices, which puts the American people's sensitive information at risk. This bipartisan reform bill is a small but significant step to address the problem."
The Senate passed the measure on Dec. 8, and the House cleared it for the president's signature on Dec. 10. Rep. Darrell Issa (R-Calif.), chairman of the House Oversight and Government Reform Committee, had his own bill that focused policy and implementation at OMB, which the House passed in April 2013.
Having a law on the books gets the attention of top agency leaders, said Dan Chenok, executive director of the IBM Center for The Business of Government. The FISMA modernization will spur agencies to "provide greater attention to information security in terms of their planning, and think of CDM as part of their overall technology portfolio," Chenok said. "I think the provisions of the bill will continue the improvement started by this administration and previous administrations going back to the original FISMA legislation, and create a stronger federal cybersecurity posture as a result," Chenok told FCW.
Improving IT acquisition at TSA
Legislation that aims to improve technology acquisition at TSA would require top agency officials to analyze proposed acquisitions and provide Congress with a justification of the security benefits of awards of more than $30 million 30 days before an award is made.
The House passed the measure 416-0 on Dec. 3. The Senate passed an amended version by voice vote on Dec. 9, and the House cleared the amended bill, 425-0, the next day.
TSA's acquisition practices have repeatedly come under fire from the agency inspector general's office, the Government Accountability Office and Congress. According to the committee report on the bill, TSA's current policies have "resulted in acquisitions that have failed to meet security performance objectives and/or wasted federal funds. Additionally, the private sector has criticized TSA for failing to accurately communicate technology needs and long-term investment plans, making it difficult for industry to plan ahead and invest in the next generation of security-related technologies."
"By ensuring that private industry has a seat at the table and that TSA does not purchase new technologies without proper planning, oversight and accountability, we can better safeguard our critical aviation sector, which remains a prime target for terrorists," Homeland Security Committee Chairman Michael McCaul (R-Texas) said in a statement.