Bipartisan FISMA update looks to tweak cyber incident reporting rules for agencies

A group of House and Senate members put forth legislation Wednesday to reform the two-decade-old law governing federal agency information security. 

The bicameral Federal Information Security Modernization Act of 2023 seeks to improve the coordination between the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, the Office of the National Cyber Director and other agencies and contractors in the event of a cyberattack.

“It has been almost a decade since Congress last addressed the structure, framework and evolution of federal cybersecurity in a comprehensive manner,” said Rep. James Comer, R-Ky., the chairman of the House Committee on Oversight and Accountability, in a statement. “The bipartisan, bicameral Federal Information Security Modernization Act of 2023 reflects years of diligent work between the House Oversight Committee and Senate Homeland Security and Governmental Affairs Committee to ensure the authorities and reporting responsibilities of our nation’s cybersecurity leadership is strengthened.”

The  House bill is cosponsored by Comer along with Reps. Jamie Raskin, D-Md.; Nancy Mace, R-S.C.; and Gerry Connolly, D-Va. Its Senate companion is being offered by  Sens. Gary Peters, D-Mich., chairman of the Homeland Security and Government Affairs Committee, and committee member Josh Hawley, R-Mo.

FISMA was last updated in 2014, when legislation codified the Department of Homeland Security’s role in implementing information security policies for non-national security agencies and providing technical assistance to those agencies, and clarified OMB’s oversight authority over infosec policies, as well as other actions.

The new bill goes further, requiring civilian agencies to report all cyberattacks to CISA and notify Congress of major incidents.

It includes language to strengthen coordination with the ONCD, calls for the CISA director and the Secretary of Defense to routinely brief Congress on the progress of zero trust implementation at federal agencies, designates CISA to issue guidance for agencies to use artificial intelligence to automate their cybersecurity — as well as guidance for requiring penetration testing — codifies the role of the federal chief information security officer, calls for the establishment of chief privacy officers within agency leadership and other updates. 

The bill also proposes agency leaders, among other requirements, “implement a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication,” effectively pointing to the General Services Administration’s Login.gov as the platform in question. 

“From the OPM data breach in 2015 to the SolarWinds cyberattack in 2020, it’s clear that the federal government has more work to do to ensure the security of federal networks and the safety of sensitive federal data,” said Connolly — the ranking member of the Cybersecurity, Information Technology and Government Innovation Subcommittee — in a statement. “This legislation will bring us a giant step closer to realizing that goal, including by codifying the role of the Federal Chief Information Security Officer at OMB. I’m proud to join my colleagues in the House and Senate to introduce it today.”

This is not the first time Congress has tried to update FISMA. Last year, former Rep. Carolyn Maloney, D-N.Y., sponsored legislation that was ultimately reported favorably by the House Oversight Committee but never received a floor vote.