FISMA Reloaded: Is a Makeover in Near Future?

A new bill is looking to update FISMA to focus more on continuous monitoring and frequent threat assessments.

Contributed by Matt Westfall

From the same House Oversight Committee that brought you the investigation into Jose Canseco’s steroid use comes proposed legislation, called the Federal Information Security Amendments Act of 2013 (HR 1163), that would update the Federal Information Security Management Act (FISMA) of 2002. The new bill (PDF) dictates the need for continuous monitoring of government systems and more frequent threat assessments. This approach would be a departure from the current model – a static “checklist” methodology for configuring networks and updating software.

Today, federal agencies are subject to a document-driven process designed to harden their networks before receiving official Authority to Operate. New vulnerabilities are addressed in periodic audits that follow the same format. The effectiveness of this approach is reflected in a report (PDF) by the Government Accountability Office that shows the number of incidents reported by federal agencies increased by 782% between 2006 and 2012.

Two concessions made by the new bill embody the majority of changes suggested throughout: that “commercially developed information security products offer advanced, dynamic, robust, and effective solutions” and that “the selection of specific technical hardware and software information security solutions should be left to individual agencies.

Essentially, the authors of the proposed amendments have bowed to the private sector and given each agency the freedom to author original policies at the department level. Is @SenRandPaul still filibustering? Free enterprise and personal responsibility have never sounded so good.

Going forward, the bill calls on agencies to employ “vulnerability assessments and penetration tests commensurate with the risk posed to agency information systems.” While some agencies already employ effective commercial tools and red teams, this would be a step in the right direction for policy-makers who acknowledge the need for a “dynamic, risk-based approach to securing federal information systems.

It almost makes you wonder when congressional leaders prove themselves capable of delivering such clear language on an issue that has been the subject of recent failed legislation, some of which threatened to erode privacy and broaden federal authority (see concerns over CISPA). They must be taking something seriously. The bill comes following an announcement from the Director of National Intelligence declaring “cyber-threats” to be the chief threat to national security (knocking “international terrorism” out of the top spot after a consecutive twelve years). It also appears roughly one month after Mandiant’s influential report (PDF) exposing one of China’s cyber-espionage units.

Whatever the catalyst, the amendments recognize that “FISMA’s static, compliance-based framework is inadequate to the rapidly evolving threat to our security” and promise to “incorporate the last decade of technological innovation” into existing policies. Hopefully this will create opportunities for our field of professionals as organizations begin to embrace a new approach to information security.


Do you think this bill is a step in the right direction? Let us know in the comments below. And thanks to @drinfosec for the post title. Today’s post pic is from

3 comments for “FISMA Reloaded: Is a Makeover in Near Future?

  1. March 20, 2013 at 11:56 am

    BLOGGED: FISMA Reloaded: Is a Makeover in Near Future?

  2. March 21, 2013 at 7:29 am

    Hey @grecs so long as “continuous monitoring” means “checking vulns/configs more often,” it won’t be sufficient.

  3. March 21, 2013 at 11:00 am

    FISMA Reloaded: Is a Makeover in Near Future – check out our post for more info

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.