Manufacturers, defense suppliers and other federal contractors may benefit from a new cybersecurity law intended to safeguard agency information and help bolster defenses to future cyber threats. The Federal Information Security Modernization Act of 2014 (FISMA II or the Act) recently was enacted to update its 2002 model by adapting to current-era cyber realities. It seeks to implement broad security programs, coordinate and expedite agency procedures, and institute greater control, oversight and preparations as to cyber threats and events. FISMA II also makes clear that new information security programs are to cover information systems for both government agencies and contractors. Furthermore, the government will turn to independent external auditors and diagnostics technologies from commercial contractors to support this expanded effort.
The objective of FISMA II is comprehensive: to streamline and tighten agency-wide procedures for information controls and make them more efficient and effective. Its legislative directive also is broad: to strengthen federal information security controls; improve management and oversight; increase the managerial role of the Department of Homeland Security (DHS), in consultation with the Office of Management and Budget (OMB); and impose new, shorter deadlines for agencies to report security incidents to Congress. The Act also establishes a federal information security incident center and requires agencies to undertake periodic risk-assessments of their policies and practices.
Private companies that provide, receive, or exchange data or other information in connection with a federal agency project are expected to be affected. The Act will implement programs targeted at information systems covering the operations and assets of government agencies and “contractor[s],” among “other source[s].” Apart from information protection, FISMA II provides increasing opportunities for independent external auditors to conduct information system effectiveness evaluations (which are required annually) for agencies without an inspector general (IG), or for agencies whose IG chooses to use an external auditor for such evaluations.
Information security is the cornerstone of the new law, and FISMA II reaffirms government agencies’ ongoing reliance on commercial “continuous diagnostics technologies” to execute this expanded and fortified line of cyber defense. The technologies include “security tools to provide information security” and other products through the DHS’s Continuous Diagnostics and Mitigation program. These increasingly sophisticated items include “commercial off-the-shelf (COTS) tools,” which the DHS has characterized as products “with robust terms for technical modernization as threats change.”
Ongoing cyber-world challenges and programs under FISMA II present challenges of compliance and protection. But so too are there opportunities for independent auditors to hone and expand evaluations of agency programs to assess their effectiveness. Diagnostics technology developers are also well positioned to further create and showcase their most advanced tools to help the government prepare for and defend against cyber war tactics. Time is of the essence, as new technologies are being implemented. Under FISMA II, the OMB Director, with the DHS Secretary’s assistance, is required to assess the agencies’ adoption of these technologies within the first two years. As a result, commercial providers with top-shelf diagnostics technology for testing agency information systems should find continuing market demand from government agencies.
A more in-depth discussion of the opportunities and challenges presented by FISMA II is available here. Additional information for officers and directors on Taking Control of Cybersecurity can be found in this white paper published by my colleagues. Stay tuned for reviews of additional new cybersecurity laws.