Cybersecurity: FISMA Reform

This report briefly discusses current requirements under the Federal Information Security Management Act (FISMA) and two bills currently being considered by Congress that would revise the conditions and authority granted by FISMA.

CRS Insights Cybersecurity: FISMA Reform Eric A. Fischer, Senior Specialist in Science and Technology (, 7-7071) November 24, 2014 (IN10186) Two bills to revise the Federal Information Security Management Act (FISMA, 44 U.S.C. Chapter 35, Subchapter III) are being considered in the 113 th Congress. H.R. 1163 passed the House in April 2013, and S. 2521 was reported to the Senate in September 2014. Current FISMA Requirements Enacted in 2002, FISMA created a security framework for federal information systems. It emphasizes risk management and gives specific responsibilities to the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), and individual federal agencies. FISMA gives OMB responsibility for overseeing federal information-security policy, evaluating agency information-security programs, and promulgating cybersecurity standards developed by NIST. It requires executive agencies to inventory major computer systems, identify and provide appropriate security protections, and develop, document, and implement agency-wide information-security programs. Agencies must provide security protections commensurate with risk and comply with applicable security standards. They must perform risk assessments, determine and implement necessary security controls in a cost-effective manner, and evaluate those controls periodically. Each agency must designate an information-security officer, with responsibilities including agency-wide information-security programs, policies, and procedures, training of security and other personnel, processes for remedial action to address deficiencies, and procedures for handling security incidents and ensuring continuity of operations. Agencies must also develop performance plans, effect independent annual evaluations of their cybersecurity programs and practices, and provide annual reports on compliance and effectiveness to Congress. FISMA security requirements also apply to contractors who run information systems on behalf of an agency. The act exempts national security systems (NSS) from its requirements, except with respect to enforcement of accountability by agencies for meeting requirements, and reporting to Congress. NSS fall under the jurisdiction of the interagency Committee on National Security Systems (CNSS). However, FISMA requires that CNSS and FISMA standards be complementary to the extent feasible. It also gives responsibility for protection of mission-crucial systems in DOD and the CIA to the Secretary of Defense and the CIA Director, respectively. The law also established a central federal incident center, overseen by OMB, to analyze incidents and provide technical assistance relating to them, to inform agency operators about current and potential threats and vulnerabilities, and to consult with NIST, NSA, and other appropriate agencies about incidents. Issues and Concerns A commonly expressed concern about FISMA is that it is awkward and inefficient in providing adequate cybersecurity to government IT systems. The causes cited have varied but themes have included inadequate resources, a focus on procedure and reporting rather than operational security, lack of widely accepted cybersecurity metrics, variations in agency interpretation of the mandates in the act, excessive focus on individual information systems as opposed to the agency's overall information architecture, and insufficient means to enforce compliance both within and across agencies. Weaknesses in FISMA implementation have been cited by GAO. In 2010, OMB attempted to address some of the operational issues administratively by delegating some operational responsibilities to the Department of Homeland Security (DHS). Debate over legislation to amend FISMA has involved several issues, including the following: The roles of OMB and DHS. Some observers believe that DHS should be given statutory authority for the operational responsibilities that have been delegated to it, arguing that such authority would clarify those responsibilities and help strengthen DHS capabilities. Others, however, believe that OMB should retain the capability to delegate operational responsibilities, given the continuing rapid evolution of the cybersecurity threat environment and uncertainties about DHS capacity to be effective in this role. Revisions to agency responsibilities. Some believe that agency responsibilities should be modified to include specific operational requirements such as continuous monitoring and use of metrics, and that more emphasis should be placed on risk-based rather than minimum security measures. Others argue that such specific requirements should not be codified in statute but included instead in the NIST standards, which can be revised more readily in response to changes in the information technology environment. Changes in reporting requirements. Some argue that more emphasis should be placed on immediate sharing of cybersecurity information aimed at preventing and mitigating attacks, rather than periodic reporting of compliance. Others argue that such reporting is needed for adequate oversight, and that FISMA currently provides sufficient flexibility to permit rapid information sharing. Cybersecurity requirements for contractors. Some argue that FISMA provisions relating to contractor cybersecurity should be more stringent, especially given the absence of specific contract-language requirements relating to FISMA in the Federal Acquisition Regulations (FAR). Others argue that current statutory authority is sufficient, and that any improvements needed can be accomplished via NIST standards and changes to the FAR. Current Bills Among the changes to FISMA being considered in current bills are the following: S. 2521 would provide operational authority to DHS; H.R. 1163 would not. H.R. 1163 would require automated and continuous monitoring of agency information systems; S. 2521 would not. Both bills stress timely reporting of incidents after discovery. H.R. 1163 would strike the requirement for annual independent evaluations; S. 2521 would retain it. S. 2521 would transfer authority for the federal incident center to DHS; H.R. 1163 would not and would require OMB to ensure that the incident center has the capabilities needed to ensure fulfillment of its mission. S. 2521 would require OMB to establish procedures to be followed after a cybersecurity incident involving a breach of personally identifiable information; H.R. 1163 has no corresponding provision. However, H.R. 3635, which passed the House in July 2014, would amend FISMA to establish requirements in the event of such a data breach. Neither H.R. 1163 nor S. 2521 directly address the issue of contractor compliance with FISMA requirements, but NIST has developed a draft set of standards for nonfederal systems on protection of federal information that they contain or process. Neither bill mentions the DHS National Cybersecurity and Communications Integration Center (NCCIC) which serves as the FISMA incident center through its United States Computer Emergency Readiness Team (US-CERT) branch. However, H.R. 3696 and S. 2519 would establish the NCCIC in law.