A New Cyber World Framework to Strengthen Agency Information Security

25 March 2015 Manufacturing Industry Advisor Blog

Manufacturers, defense suppliers and other federal contractors may benefit from a new cybersecurity law intended to safeguard agency information and help bolster defenses to future cyber threats. The Federal Information Security Modernization Act of 2014 (FISMA II or the Act) recently was enacted to update its 2002 model by adapting to current-era cyber realities. It seeks to implement broad security programs, coordinate and expedite agency procedures, and institute greater control, oversight and preparations as to cyber threats and events. FISMA II also makes clear that new information security programs are to cover information systems for both government agencies and contractors. Furthermore, the government will turn to independent external auditors and diagnostics technologies from commercial contractors to support this expanded effort.

The objective of FISMA II is comprehensive: to streamline and tighten agency-wide procedures for information controls and make them more efficient and effective. Its legislative directive also is broad:  to strengthen federal information security controls; improve management and oversight; increase the managerial role of the Department of Homeland Security (DHS), in consultation with the Office of Management and Budget (OMB); and impose new, shorter deadlines for agencies to report security incidents to Congress. The Act also establishes a federal information security incident center and requires agencies to undertake periodic risk-assessments of their policies and practices.

Private companies that provide, receive, or exchange data or other information in connection with a federal agency project are expected to be affected.  The Act will implement programs targeted at information systems covering the operations and assets of government agencies and “contractor[s],” among “other source[s].” Apart from information protection, FISMA II provides increasing opportunities for independent external auditors to conduct information system effectiveness evaluations (which are required annually) for agencies without an inspector general (IG), or for agencies whose IG chooses to use an external auditor for such evaluations.

Information security is the cornerstone of the new law, and FISMA II reaffirms government agencies’ ongoing reliance on commercial “continuous diagnostics technologies” to execute this expanded and fortified line of cyber defense.  The technologies include “security tools to provide information security” and other products through the DHS’s Continuous Diagnostics and Mitigation program. These increasingly sophisticated items include “commercial off-the-shelf (COTS) tools,” which the DHS has characterized as products “with robust terms for technical modernization as threats change.”

Ongoing cyber-world challenges and programs under FISMA II present challenges of compliance and protection. But so too are there opportunities for independent auditors to hone and expand evaluations of agency programs to assess their effectiveness. Diagnostics technology developers are also well positioned to further create and showcase their most advanced tools to help the government prepare for and defend against cyber war tactics. Time is of the essence, as new technologies are being implemented. Under FISMA II, the OMB Director, with the DHS Secretary’s assistance, is required to assess the agencies’ adoption of these technologies within the first two years. As a result, commercial providers with top-shelf diagnostics technology for testing agency information systems should find continuing market demand from government agencies.

A more in-depth discussion of the opportunities and challenges presented by FISMA II is available here. Additional information for officers and directors on Taking Control of Cybersecurity can be found in this white paper published by my colleagues. Stay tuned for reviews of additional new cybersecurity laws.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services