Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
A new Senate report is making the case for reforms to the law governing federal cybersecurity standards, after finding multiple federal agencies made just “minimal improvements” over the past two years in their efforts to comply with the requirements.
The report, released by leaders of the Homeland Security and Governmental Affairs Committee today, follows up on a 2019 document that found eight federal agencies were out of step with federal cyber standards, putting sensitive data at risk.
The latest report found seven of the eight agencies made “minimal improvements” since 2019. Only the Department of Homeland Security employed an “effective cybersecurity regime” in 2020, according to the report. The findings are based on the agencies’ annual inspector general audits of cybersecurity programs for fiscal year 2020.
In addition to DHS, the report reviewed the departments of State, Transportation, Housing and Urban Development, Agriculture, Health and Human Services, Education, and the Social Security Administration
The report was released by Homeland Security Committee Ranking Member Rob Portman (R-Ohio) and Chairman Gary Peters (D-Mich.). Portman spearheaded the original 2019 report when he was chairman of the Permanent Subcommittee on Investigations.
Portman will release legislation “in the coming months” to reflect many of the recommendations in the report, a committee aide told reporters.
Many of those recommendations seek to address the problems the report highlights through a more standardized, centralized approach to cybersecurity across the government.
“That federalization, that sort of balkanization of cybersecurity across federal agencies, it has been a persistent problem and it’s probably a large part of why you see such performance issues in each of these agencies,” a committee aide said.
The report recommends a “centrally coordinated approach” to improve accountability. Aides said the general idea is to have the White House National Cyber Director — a role currently filled by Chris Inglis — work closely with the director of the Cybersecurity and Infrastructure Security Agency to plug gaps and address urgent problems across agencies.
“Each agency is responsible for its own cybersecurity, but governmentwide, it’s not clear who’s responsible for coordinating the whole strategy,” an aide said. “I think we haven’t collectively decided on who that should be in our opinions yet, but it’s certainly something we need to re-visit in the near future to decide who should be that single point of accountability.”
In addition to leadership, Portman and Peters’ report lays the groundwork for potential reforms to the Federal Information Security Modernization Act at a time when the White House is also contemplating changes to how it implements the law in the wake of the SolarWinds hack and President Joe Biden’s cybersecurity executive order. Congress last updated FISMA in 2014.
The report recommends Congress modernize FISMA “to reflect current cybersecurity best practices, including focusing on mitigating identified and analyzed cybersecurity risks, in addition to meeting compliance risks.”
The annual IG FISMA reporting metrics should also use “risk-based metrics” such as common threat patterns, security controls to address those patterns, and “any other security risks unique to that agency’s networks,” the report states.
Committee aides said they also want reforms to ensure agency chief information officers are “empowered to achieve their requirements in FISMA.” They highlighted a case at HHS, where the inspector general found not all of the department’s operating divisions were using information security and continuous monitoring, which helps organizations stay abreast of gaps in their IT networks, like unpatched systems.
The IG recommended HHS develop a roadmap for deploying the tools under the continuous diagnostics and modernization program (CDM) across its operating divisions. But HHS disagreed with the recommendation, responding that it lacked the authority to direct what technologies its operating divisions use on their networks.
HHS also hasn’t fully implemented CISA’s EINSTEIN tools, an intrusion detection system that identifies known threats to networks and is required to be deployed across federal networks.
“I think generally speaking across the federal government, visibility is a big issue,” a committee aide said. “And if you have a situation where CIOs don’t have the visibility they need to accomplish their requirements in FISMA, that’s a big problem. And so I think as we look at reshaping FISMA and the issues that we’ve identified, that’s certainly an area that we want to address.”
FISMA updates should also “formalize” CISA’s role as the “operational lead for federal cybersecurity,” including by requiring federal agencies and contractors to notify CISA of “certain cyber incidents,” according to the report..
It also highlights CISA’s Cybersecurity Quality Services Management Office, recommending an expansion of shared service offerings, including “improved, government-wide endpoint detection using primarily commercial off the shelf products and services to improve the operational effectiveness of EINSTEIN.”
Portman and Peters also want the Department of Homeland Security to provide Congress “with a plan to update EINSTEIN and to justify its cost.”
The lawmakers also want FISMA to define “major incidents” in such a way that agencies notify Congress “in a timely manner” of any significant cyber events, according to the report. Lawmakers have previously expressed frustration with how some agencies did not notify Congress about intrusions on their networks related to the SolarWinds campaign.