FISMA Reform Unanimously Passes House

It’s official: on April 16, 2013, the House of Representatives unanimously approved a bill making the first significant reforms in 11 years to the way the federal government governs information security.

The Federal Information Security Amendments Act of 2013 (H.R. 1163) updates the Federal Information Security Management Act of 2002. The House also overwhelmingly approved the Cyber-security Enhancement Act, created to advance cyber-security research and development, and expand and train a cyber-security workforce. Both measures go to the Senate for its consideration.

This new act will require federal agencies to continuously monitor their IT systems for cyber-threats and implement regular threat assessments.

The bill’s chief sponsor, Rep. Darrell Issa (CA Rep.) who chairs the House Oversight and Government Reform Committee said, “This bipartisan legislation will address the shortcomings of FISMA by incorporating recent technological innovations, and enhance and strengthen the current framework that protects federal information technology systems.”

The bill would make each department secretary and agency director accountable for their organization’s IT security. Even though most federal agencies have chief information security officers to coordinate IT security activities, this new FISMA legislation would require them to have CISOs to develop, implement and oversee agency-wide IT security programs. The bill would also require each CISO to have the “necessary qualifications,” including education, training, experience and security clearance.

The bill’s intent is to address perceived shortcomings of FISMA, such as a checkbox mindset in the federal government in which checking items off a list to impress auditors seemed more important than continuously monitoring systems to verify that they’re secure.

Once approved by the Senate and signed into law by President Obama, the bill would require federal agencies to employ a risk-based approach to defend against cyber-attacks. This would include penetration testing in which “white-hat hackers” break into government IT systems to identify vulnerabilities.

TalaTek is a Woman-Owned W8 SBA business that specializes in continuous monitoring, compliance and penetration testing.  We’re ready when you are.

Skip to content