At Bipartisan Hearing, Oversight Committee Leadership Releases Discussion Draft Bill to Strengthen Federal Cybersecurity
Washington, D.C. (January 11, 2022)—Today, Rep. Carolyn B. Maloney, Chairwoman of the Committee on Oversight and Reform, held a hearing with cyber experts to discuss strategies to strengthen the Federal Information Security Management Act (FISMA), which has not been updated since 2014.
“Threats have transformed dramatically since FISMA was last updated in 2014, and in ways that were unimaginable when the law was first written twenty years ago. Now, it’s no longer enough to guard our networks at their perimeters, as was the focus in the past. Today, we must also guard within the perimeter, continuously monitoring for the smallest trace of abnormal activity that might signal an intruder. Modernization cannot wait, because our adversaries certainly won’t,” said Chairwoman Maloney in her opening statement.
The Committee heard testimony from Grant Schneider, Senior Director of Cybersecurity Services, Venable, and former Federal Chief Information Security Officer, Office of Management and Budget; Gordon Bitko, Senior VP of Policy, Public Sector, Information Technology Industry Council, and former Chief Information Officer, FBI; Renee Wynn, Consultant and former Chief Information Officer, NASA; Jennifer R. Franks, Director of Information Technology and Cybersecurity, U.S. Government Accountability Office; and Ross Nodurft, Executive Director, Alliance for Digital Innovation, and former Chief, Office of Management and Budget Cybersecurity Team.
To reform FISMA to meet today’s onslaught of devastating cyberattacks like SolarWinds and the Microsoft Exchange Server hack, Chairwoman Maloney and Ranking Member James Comer released new discussion draft legislation called the Federal Information Security Modernization Act of 2022.
Witnesses unanimously supported the work of the bipartisan discussion draft released by Chairwoman Maloney and Ranking Member Comer to advance a risk-based cybersecurity posture that improves coordination and incorporates modern, advanced security principles.
- In his written remarks, Mr. Bitko stated that “without a strong legislative foundation, the complexity of federal cybersecurity, the number of different stakeholders, and the constant need for those stakeholders to be dealing with ongoing urgent threats suggests that piecemeal reform would be accomplished too slowly and could encounter real resistance and lack of buy-in from the existing security infrastructure and silos of responsibility for security dotted across the federal government landscape.”
- In response to Chairwoman Maloney’s question about the shortcomings of the current FISMA law that were exposed by the SolarWinds attack, Mr. Schneider noted, “A lot of compliance activities are necessary, but not sufficient, for cybersecurity.” He added, “I think more and more we have to be in a position of presuming that a compromise either exists or is going to happen, be able to quickly detect those compromises and incidents, and be able to respond and recover to them swiftly and adequately….”
- In response to questioning from Rep. Brown on how the draft legislation’s requirement for ongoing risk assessments will strengthen an agency’s security, Ms. Wynn emphasized: “Performing continuous risk assessment is an absolute necessity. Environments change rapidly within the federal government as new mission requirements change or a new software or new capabilities come out, you want to bring the best of a breed into the United States federal government to meet mission requirements, and so doing it on a continuous basis is really critical.”
In the wake of the sophisticated SolarWinds cyberattack and Log4j vulnerability, witnesses highlighted that an effective update to FISMA requires a clear, coordinated, whole-of-government approach to meet the challenges of evolving cyber threats.
- In response to questioning from Rep. Speier on the need to focus on expanding the federal cybersecurity workforce, Mr. Schneider testified: “We don’t have enough skilled cybersecurity professionals nationwide, and the federal government is competing—and challenged from a wage standpoint—to bring people in. We need more programs that allow people to come into the government.” He also added, “We need the ability to have people move in and out of government more easily.”
- In response to a question from Rep. Connolly on the Government Accountability Office’s 900 open recommendations on federal cybersecurity, Ms. Franks highlighted the challenges federal agencies currently face, underscoring the need for FISMA reform: “With increasing technologies, it is hard for agencies to stay ahead looking at open recommendation while they are also trying to implement new strategies to ward off cybersecurity threats.”
- Asked by Rep. Wasserman Schultz about the importance of clearly defining the roles of OMB, CISA, and the National Cyber Director in FISMA, Mr. Nodurft replied that “by clearly delineating who owns what, agencies will know where to look and where to go and it will make it much easier for them to work together to build a broader defensive structure.”
Bipartisan members and witnesses highlighted that we must update our cybersecurity posture to adapt to evolving threats, including increased reliance on internet-connected devices.
- In Ranking Member Comer’s opening remarks, he stated, “I encourage our Members to support a streamlined legislative product the Chairwoman and I are crafting, which adheres to a risk-based cybersecurity model. We are confident our approach gives more flexibility to our federal agencies and private sector partners to address a quickly evolving threat landscape.”
- In response to a question from Mr. Lynch on implementing zero-trust architecture, Ms. Franks highlighted: “The fundamental problem across federal agencies is identifying what’s in your inventory of systems. So, with zero trust architecture, knowing what you have before you can even protect is key. With agencies unable to really give a firm inventory of their major information systems and then the data that resides on those systems—or those that may not need access—to those systems and services.”
- Rep. Kelly emphasized the vulnerability of internet-connected devices and asked how reporting these vulnerabilities will improve coordination of federal government cybersecurity infrastructure. In response, Mr. Schneider said: “It highlights the need to take action when information is reported. We need the vulnerabilities identified, agencies need to be aware of them, and then agencies need to take action. Most successful cyberattacks come from a known vulnerability that could have been mitigated with a known patch that just had not been applied by organizations.”
Click here to watch the hearing.