Introduced on Wednesday, the FISMA Reform Act provides an update to the 12-year-old FISMA and would give the DHS increased authority over other agencies’ networks on the .gov domain. As it stands, the DHS needs permission to come in and investigate or monitor networks, the Hill reports.
The new measure would provide DHS with legal authority to deploy tools that search for security breaches in real-time without a formal request to an agency. It would also enable DHS to conduct risk assessments of any other agency’s system and take action to secure vulnerable systems.
Earlier this year, the US Office of Management and Budget released a report that found although US government agencies spent $12.7 billion on cybersecurity in fiscal 2014 the government still faced nearly 70,000 cybersecurity events in total across departments.
Sen. Mark Warner, the lead Democrat on the bill, said that the voluntary nature of the system has “resulted in an inconsistent patchwork of security across the whole federal government.”
In a time when cybersecurity threats are changing rapidly, the federal government has been criticized for outdated programs and responding too slowly to serious data breaches, such as the OPM breach that compromised personal data belonging to 22 million people.
FISMA has also created a “cyber-industrial complex” that feeds at the trough of federal cybersecurity spending and has become so entrenched and powerful that it rules federal cybersecurity with a profitability rather than a best-practice metric. Compounding this problem are agencies that have failed to adapt archaic acquisition strategies and contracting practices to deal with the dynamic realities of cybersecurity trends and developments.
Many agencies are using “lowest price, technically acceptable” contractors to protect some of our nation’s most important and sensitive data. For these agencies, disaster either has occurred or is imminent.
The stark reality is that no agency in the executive branch prioritizes cybersecurity as a core business enabler. Federal agencies treat cybersecurity as an IT annoyance, buried as it is under their CIO. Federal agencies practice crisis-to-crisis cybersecurity management, and not proactive infrastructure resilience. Congress abets this approach by enacting authorization language that instructs each agency to deliver specific entitlements or services to the taxpayer, and appropriation language that funds the associated authorization, neither of which elevates cybersecurity to anything near an agency priority.
The government sees cyber security as a nuisance and generally places so little emphasis on it that necessary projects are rarely properly funded. Adequately explaining security concerns in a context C-level executives can understand is where the process often fails. If cyber security issues are articulated as business enablement then rest assured it will be understood.
What we need is more people capable of discussing cyber security in a business context rather than a technical one. This is why it is important to have a CISO reporting directly to the CEO rather than the CIO. The CIO rarely understands the nuances of cyber security, and like the rest of the C-level executives, often times ignores what security professionals see as an obvious threat.