In the space of a few days, longstanding federal cybersecurity efforts have made some key progress after months of uncertainty.
In the Senate, the Homeland Security and Governmental Affairs Committee advanced the Federal Information Security Modernization Act of 2023 during a markup today. It’s been nearly a decade since Congress last passed FISMA reform.
The legislation is largely the same as a bill that nearly made it through Congress last year, but with some important changes that could improve its chances of final passage this year.
Meanwhile, the Defense Department on July 24 delivered the rule for the Cybersecurity Maturity Model Certification program to the White House for review.
It took DoD more than a year to get to this point, and the delivery of the rulemaking package kicks off a formal process that should see the rule published in the Federal Register later this year. But DoD officials have said CMMC requirements will not go into effect until late next year.
The FISMA 2023 bill was announced earlier this month as a bipartisan, bicameral bill led by Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and House Oversight and Accountability Committee Chairman James Comer (R-Ky.).
FISMA was last updated in 2014. The push to reform the law is motivated by major changes in the technology landscape since then, as well as notable changes across the federal government.
Since 2014, the Cybersecurity and Infrastructure Security Agency was established, the White House stood up the Office of the National Cyber Director and the 2020 SolarWinds campaign pushed agencies to drastically rethink how they approach cybersecurity.
The legislation passed out of the committee today largely mirrors what nearly got through Congress last year. It would codify the role of the federal chief information security officer; require agencies to report all cyber attacks to CISA and major incidents to Congress; require annual progress reports on agency zero trust architecture implementations; and give CISA the authority to assess the risk posture of federal networks “on an ongoing and continuous basis.”
A former Hill staffer said this year’s FISMA bill getting through Congress is “really good on the prospects,” noting how the two leaders on the issue — Peters and Comer — worked on the bill together ahead of its introduction.
Last year’s bill failed to achieve final passage due to a disagreements over the role of the federal CISO, how senior privacy officials should factor into federal cybersecurity management, and the definition of “major incident,” according to the former staffer, who was granted anonymity to discuss internal deliberations.
“This time around, those issues have been ironed out ahead of time,” the former staffer said.
Senate Majority Leader Chuck Schumer (D-N.Y.) earlier this month submitted the FISMA 2023 bill as an intended amendment to the National Defense Authorization Act, which the Senate is racing to pass this week ahead of August recess.
During today’s markup, Peters noted efforts to reform FISMA have been ongoing since at least 2018.
“This is a five-year process that we are hopefully bringing to a conclusion,” Peters said.
Meanwhile, a major cybersecurity initiative that will affect federal contractors took a seemingly minor but significant step forward this week when DoD submitted the CMMC rule to the White House’s Office of Information and Regulatory Affairs for review.
Once implemented, CMMC will allow DoD to require an assessment of a contractor’s compliance with cybersecurity requirements.
The development was well received at the monthly meeting of the Cyber Accreditation Body on Tuesday. The Cyber AB is a nonprofit established to authorize and accredit the Third-Party Assessment Organizations that will conduct the cybersecurity assessments of defense contractors.
“This is a major milestone in the rulemaking journey,” Cyber AB Chief Executive Matthew Travis said. “This signals that DOD was able to finalize not only the text of the rule, but also all the data analysis that goes with it, and ostensibly also coordinated with [the Small Business Administration].”
OIRA has up to 90 days to review the rule before DoD can publish it the Federal Register. After a 60-day public comment period, there’s likely to be a lengthy period where DoD reviews those comments before finalizing the CMMC requirements.
The submission of the rule to OIRA this week lines up with the Pentagon’s latest timeline for starting to implement the CMMC requirements by the fall of 2025.
“We’re targeting late fall of next year, so that can start to be put into contracts,” Deputy DoD Chief Information Officer David McKeown said during GovExec’s Cyber Summit in May.
SEC and TSA cyber rules
The Securities and Exchange Commission today also adopted new rules to require public companies to disclose cybersecurity breaches that affect their bottom line within four days. They also require those companies to disclose information on their cybersecurity risk management and executive expertise in the field.
“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chairman Gary Gensler said in a statement. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies and the markets connecting them.”
The SEC rules will “provide more transparency into an otherwise opaque but growing risk, as well as more consistency and predictability,” Lesley Ritter, senior vice president for Moody’s Investors Service, said in a statement.
“Increased disclosure should help companies compare practices and may spur improvements in cyber defenses, but meeting the new disclosure standards could be a bigger challenge for smaller companies with limited resources,” Ritter said.
Meanwhile, the Transportation Security Administration also announced updated cybersecurity requirements for owners and operators of oil and natural gas pipelines today. TSA first issued cybersecurity directives for critical pipelines in the wake of the 2021 Colonial Pipeline ransomware attack.
“This revised security directive sustains the strong cybersecurity measures already in place for the oil and natural gas pipeline industry,” TSA Administrator David Pekoske said in a statement. “Earlier versions required the development of processes and cybersecurity implementation plans. This version requires that operators test and evaluate those plans.
The updated directive requires pipeline owners and operators to annually submit an updated Cybersecurity Assessment Plan to TSA, report the results from prior year assessments of their cybersecurity measures, and test at least two cybersecurity incident response plan objectives every year.
The directive retains existing requirements for pipeline owners and operators to report significant cybersecurity incidents to CISA, identify a cybersecurity point of contact and conduct a cybersecurity vulnerability assessment.