News Feature | July 28, 2014

FISMA Reform Efforts Aim For Balance Between CDM And FISMA

Christine Kern

By Christine Kern, contributing writer

FISMA Reform Efforts

Legislation aimed at modernizing the 12-year-old Federal Information Security Management Act (FISMA), introduced by committee chairman, Sen. Tom Carper (D-Del.), and ranking member Sen. Tom Coburn (R-Okla.), has passed a vote by the Senate Homeland Security and Governmental Affairs Committee on June 25 and is with Senate committee.

Designed to protect the country’s national information infrastructure in the shadow of 9/11 and originally passed in 2002, FISMA established a series of standards and guidelines that must be met by agencies and was designed to lead the implementation of cost-effective information security programs to facilitate more secure and informed authorization decisions in federal agencies.

Advocating for continuous monitoring, The Federal Information Security Management Act of 2014 (FISMA 2014) relaxes the checklist-based, reporting process, considered by many to be a time-suck, trains more attention on monitoring and mitigating data breaches, and focuses senior agency officials on integrating and testing actual cyber security measures.

FISMA has increasingly been viewed by experts in and out of government as a time-consuming paperwork exercise in need of reform. Many see the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) program playing a more important role in federal cybersecurity.

“Fed cyber security leads tell us they spend 25 percent of their cyber security budgets on FISMA compliance,” Steve O’Keeffe, founder of MeriTalk, explained in the recent CDM Under the Hood report, performed by the MeriTalk Cyber Security Exchange. “Chipping in on future plans for FISMA reporting provides important insight on how CDM and FISMA can run together.”

According to the text of the legislation, the bill attempts to define the roles DHS and the Office of Management and Budget (OMB) play in the FISMA and CDM processes. Currently, DHS leads CDM’s implementation and works with OMB and the CIO Council to develop FISMA metrics. Under the new bill, however, DHS would take over FISMA operationally, while OMB would continue to have oversight of the process.

CDM is funded by Congress in support of FISMA. However, with agencies still under an obligation to uphold the Federal Information Security Management act of 2002 (FISMA), 50 percent of agencies still need to meet FISMA reporting requirements, at least until CDM can produce the data needed to supersede the current FISMA system.

Committee Chairman Sen. Tom Carper, D-Del., said the new measure strikes the right balance between FISMA and the emerging capabilities of CDM.

 “I think we finally found the sweet spot,” Carper said. “Basically, if I could use an analogy here, the job of OMB is to steer the boat, to set the policy, to be the enforcer. The job of DHS is to help row the boat, and they work at this together.”

The House passed a similar FISMA reform bill, in a 416-0 vote, in April 2013. If the Senate passes this piece of legislation, the two bills would have to be reconciled before going to President Obama to be signed into law.