Federal Agencies' Cyber Security

Reform FISMA to Protect Federal Government Computer Networks

BSA Position

Congress needs to reform the Federal Information Security Management Act (FISMA), to ensure that agencies have the authority and resources to identify and mitigate the cyber risks they actually face.

Congress should:

• Empower federal officials in charge of the security of agencies’ computer networks. First, they need authority to actually enforce security requirements over their agencies’ networks and systems. Second, they need the technical and human resources to perform these tasks, such as network monitoring and automated compliance monitoring and enforcement capabilities.
• Ensure these officials are accountable for identifying and addressing the threats and vulnerabilities that their networks actually face. To do this, “red teams” should test the effectiveness of the security measures in place against real-life attacks.

Issue

The federal government is under regular and persistent cyber attack from criminals and hostile nations. Important steps have been taken to secure government systems, but Congress needs to act to reform the legislative framework that governs federal agencies’ cyber security.

Background

The enactment in 2002 of the Federal Information Security Management Act  was an important milestone in the effort to elevate information security among the management priorities of federal agencies. However, FISMA has not improved information security as much as it was hoped. Agencies can comply with FISMA and yet still have significant gaps in their actual security, because FISMA only requires that they show they have security processes in place, without ensuring that these measures effectively lead to mitigating the cyber risks that the agency actually faces.

Action Needed

Congress must modernize FISMA to close the gap between compliance and security.