Lawmakers try to reform federal cybersecurity again

The House Oversight and Accountability Committee passed the Federal Information Security Modernization Act of 2023 out of committee on Thursday, marking a renewed effort by lawmakers to pass modernization of the primary law for federal government cybersecurity. 

“This is the second time in four years the committee has considered sweeping FISMA reform,” Rep. James Comer, R-Ky., committee chair, said during the markup. 

The last major FISMA reform was passed in 2014. Lawmakers in both chambers also attempted to pass a reform bill in 2022, which didn’t make it into law. 

Sens. Gary Peters, D-Mich., and Josh Hawley, R-Mo. — with Comer and Reps. Jamie Raskin, D-Md., Nancy Mace, R-S.C. and Gerry Connolly, D-Va., — introduced the bicameral, bipartisan proposal last July. 

The version considered by the committee on Thursday reflects changes made since then due to “many positive discussions we have had with the Senate, the administration and industry stakeholders,” said Comer. 

The bill includes clarification of key roles and responsibilities at agencies with cybersecurity duties, including the Office of Management and Budget, Department of Homeland Security and Office of the National Cyber Director, said Comer. 

It also codifies the role of the chief information security officer at OMB, gives agencies reporting duties for cyber attacks and major incidents and taps the Cybersecurity and Infrastructure Security Agency with the authority to assess federal risk posture on an ongoing basis. 

“Modernizing FISMA is a big step towards the clear, coordinated whole of government approach to federal cybersecurity that our government needs to meet the challenges of the dangerous and constantly evolving threat landscape,” said Raskin, the ranking member of the committee. 

Lawmakers cut some sections of the bill introduced last summer entirely — including requirements for OMB to update guidance on logging and log retention, for example — and tinkered with others.

Rep. Pete Sessions, R-Texas, offered an amendment to the bill during the markup that he said was meant to harmonize private sector reporting requirements, although he later withdrew the proposal.

Changes in the bill since it was first reintroduced last summer include new language around a requirement for federal agencies to implement a single sign-on service for public websites requiring identity verification “which may be one developed by” the General Services Administration. GSA houses a single sign-on service, Login.gov, that was the subject of a bombshell inspector general report last year. 

The new bill also includes a waiver system around that requirement, calls on OMB to issue “guidance for agencies to implement identity management systems and a single sign-on trusted identity platform” and directs for the Government Accountability Office to report on identity management systems used by agencies and whether they meet relevant standards and guidance.

The committee also passed a recently introduced bill focused on the government’s use of artificial intelligence, among other proposals.