Nearly 20 years after it was first passed, the Federal Information Security Modernization Act is on deck for a possible upgrade, and the country’s top cybersecurity officials say it can’t come soon enough.
The 2002 FISMA legislation was meant to bring the government into the information age by setting up a series of requirements for agencies, including maintaining a current asset inventory, doing risk assessments, and developing and implementing security programs. Even in 2002, much of that was relatively basic work, but the federal government does not often move first or fast on technology. Congress updated FISMA in 2014 in an effort to deal with the quickly changing attack landscape, but the intervening seven years have seen a dramatic increase in both attack volume and complexity, and federal cybersecurity leaders told Senate lawmakers Thursday that another update is sorely needed.
“FISMA is outdated and the status quo is clearly not working. We should shift from box-checking to a culture of true risk assessments,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said during a hearing of the Senate Homeland Security and Governmental Affairs committee Thursday.
An update for FISMA is in fact in the works. The top two members of the committee, Sen. Gary Peters (D-Mich.) and Sen. Rob Portman (R-Ohio), are developing new legislation designed to both update the technological requirements for agencies and solidify the authority of CISA, which did not yet exist when FISMA was last amended. CISA is the lead cybersecurity agency for the federal government and also has authority over critical infrastructure, but there are many other federal agencies with defensive, investigative, or other cybersecurity responsibilities, including the FBI and other components of the Department of Homeland Security. Easterly said any update to FISMA should make clear what authorities and responsibilities her agency has.
“With regard to FISMA, any update should codify CISA’s operational role and hold departments accountable for the investments they make in their teams,” she said.
“And we have to move from checking boxes to real operational risk management.”
“FISMA is outdated and the status quo is clearly not working."
In addition to the FISMA update, Senate lawmakers also are working on legislation that would require critical infrastructure operators to report incidents such as ransomware intrusions and ransom payments to the appropriate federal authority. The goal is to give authorities as well as private sector companies a clearer and more timely picture of ongoing threats.
“We need to get reports about all flavors of cyber incidents because it’s important to be able to render assistance and analyze and share information widely. Having that information in a timely way so we can share with critical infrastructure and state and local level governments, so we can collectively raise the baseline of the cyber ecosystem. It’s incredibly important to instantiate that in legislation,” Easterly said.
The Biden administration has put a strong emphasis on cybersecurity in general and ransomware specifically, pressuring Russian leaders to stop harboring cybercrime groups, indicting alleged ransomware actors, and sanctioning organizations it says are part of the ransomware payment ecosystem. Earlier this week, the Department of the Treasury designated cryptocurrency exchange Suex, meaning it is off-limits for transactions for U.S. persons.
“SUEX has facilitated transactions involving illicit proceeds from at least eight ransomware variants. Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors,” the Treasury advisory says.
Disrupting the ransomware payment pipeline is a complex task, thanks to the fact that virtually all payments are made in cryptocurrency and the exchanges and processors that handle them are not based in the U.S. But federal officials said it’s possible.
“I do think it’s doable to disrupt the cryptocurrency payment system. We can essentially lock those down if we know that they’re engaged in illicit activities,” said Chris Inglis, National Cyber Director, and a former deputy director of the National Security Agency.