FISMA II: A New Cyber World Framework to Strengthen Agency Information Security

24 March 2015 Legal News Alert: Privacy, Security & Information Management Publication

Legal News Alert: Privacy, Security & Information Management

As part of the Obama administration’s legislative efforts to safeguard government agency information, the Federal Information Security Modernization Act of 2014 (FISMA II) was recently enacted to fortify and update its 2002 version, and adapt procedures to respond to current-era realities of increasingly sophisticated cyber threats. The Act seeks to implement broad security programs, coordinate and expedite agency procedures, and institute greater control, oversight, and preparations as to cyber threats and events.

The objective of FISMA II is comprehensive: to streamline and tighten agency-wide procedures for information controls and make them more efficient and effective. Its legislative directive is also broad: to strengthen federal information security controls; improve management and oversight; increase the managerial role of the United States Department of Homeland Security (DHS), in consultation with the Office of Management and Budget (OMB); and impose new, shorter deadlines for agencies to report security incidents to the U.S. Congress. The Act also establishes a federal information security incident center and requires agencies to undertake periodic risk assessments of their policies and practices.

Relevance and Opportunities for the Private Sector

FISMA II is directed to internal agency procedures and oversight, but manufacturing companies, defense suppliers, and other private sector companies with federal contracts, especially for diagnostics technology and related businesses, would be wise to take note of the law, as well as the data and other information systems, controls, and procedures that will be implemented and monitored under FISMA II. Providing, receiving, or exchanging data or other information in connection with a federal agency project may well implicate FISMA II and have consequences for government contractors, especially in the event of a breach in data security or other system incident. Indeed, in describing programs to secure information systems, FISMA II makes clear that not just government agencies, but “contractors” and “other sources” are to be covered. A statutory objective is to protect with information security programs the operations and assets of both government agencies and contractors.. Apart from information protection issues, the law provides increasing opportunities for independent external auditors to conduct system evaluations for agencies lacking an inspector general (IG), and in cases when agency inspectors general choose not to do so.

Information security is the cornerstone of the new law. To that end, FISMA II directs that effectiveness evaluations of agency information systems and their policies, practices, and procedures be conducted each year. Furthermore, as part of its commitment to enhancing the government’s capabilities, FISMA II reaffirms government agencies’ reliance on commercial “continuous diagnostics technologies” to execute this expanded and fortified line of cyber defense. The technologies include “security tools to provide information security” and other products through the DHS’s Continuous Diagnostics and Mitigation program. These increasingly sophisticated items include “commercial off-the-shelf (COTS) tools,” which the DHS has characterized as products “with robust terms for technical modernization as threats change.” Under FISMA II, the OMB director, with the DHS secretary’s assistance, is required to assess the agencies’ adoption of these technologies within the first two years. As a result, commercial providers with top-shelf diagnostics technology designed for testing agency information systems should find continuing market demand from government agencies.

Upgrading Agency Information Security Programs

FISMA requires government agencies to devise and implement effective information security programs to protect agency-wide operations. The programs are to be based, in part, on: (i) periodic assessments of the risk and magnitude of harm resulting from a security breach, or disruption or destruction of agency information or systems; (ii) processes for implementing the appropriate remedial action; (iii) procedures to detect, report, and respond to security incidents; and (iv) procedures to maintain continuity of operations.

As noted above, the new programs will target information systems for the operations and assets of the particular agency at issue and also for “those provided or managed by another agency, contractor, or other source…” The secretary of DHS will be responsible for managing information security policies and practices, and seeing that they are properly implemented. Coordinating government-side efforts, convening meetings with senior agency officials, providing technical assistance, and monitoring the policies and practices are several of the secretary’s duties under the Act.

Separately, the OMB director has responsibility for overseeing procedures for compliance standards and implementing appropriate information security protections. In what some may see as an agency power play (albeit rather modest), FISMA II requires the OMB director to “ensur[e] that the Secretary [of the Department of Homeland Security] carries out the authorities and functions” that FISMA II requires. These functions include supervising directives to agencies to put new information systems policies and standards into effect and making timely reports of security incidents. Pertinent information from the National Institute of Standards and Technology and the United States Department of Commerce is also to be considered by the secretary of DHS.

Under the OMB director’s authority, notice of data breaches is required to be made to designated congressional committees not more than 30 days after the agency’s discovery. Information is to include the cause of the breach, the number of individuals affected, an assessment of the risk and harm to them, reasons for any delay in notification, and the estimate of whether and when the agency will make the notification. Subject to policies and guidelines, the director is to require “notice by the affected agency to affected individuals …. as expeditiously as practicable and without unreasonable delay …” Each agency, however, is required, among other obligations, to notify designated congressional committees within seven days, when there is reason to believe that a major incident has occurred.

Information Security Incident Center

Under FISMA II a central security incident center will be created and DHS will run its operations. The center will serve as a resource operations hub and provide agencies with technical assistance and guidance on r security incidents in real time: detecting and handling incidents as they occur; notifying agencies about current or potential threats and system weaknesses; and providing intelligence about cyber threats, vulnerabilities, and incidents to assist in conducting risk assessments.

Annual Independent Evaluations

Under FISMA II, each agency must arrange for an independent auditor to conduct an annual evaluation of its information security program and practices to ascertain its effectiveness. For agencies with inspectors general, the evaluation may be conducted either by the agency’s inspector general or by an independent external auditor, as the IG determines. For other agencies, agency heads are to “engage an independent external auditor to perform the evaluation.”

Annual Reporting

Every year, each agency head must submit to the OMB director, DHS secretary, comptroller general, and several congressional committees a report describing the adequacy and effectiveness of information security policies, procedures, and practices. Most important, the report is required to summarize agency risk assessments, threat information, and compliance performance, as well as identify major and other information security incidents, including where information security has been significantly compromised. By March 1 of each year, the OMB director, in consultation with the DHS secretary, is required to submit a report to Congress describing the effectiveness of information security policies and practices for the previous year, and include a summary of the incidents, agency compliance with standards, and data breach notice procedures. Within the first two years, the OMB director is to assess agency implementation of data breach notification policies and guidelines, and the DHS secretary is to include the assessment in his annual report to Congress.


Ongoing cyber world challenges and programs under FISMA II present challenges of compliance and protection. But there are also opportunities for independent external auditors to hone and expand evaluations of agency programs to assess their effectiveness. Diagnostics technology developers are also well positioned to further create and showcase their most advanced tools to help the government prepare for and defend against cyber war tactics. Time is of the essence, as new technologies are being implemented and DHS and OMB are required to quickly assess — within two years — the agencies’ adoption of these technologies.

Foley & Lardner LLP Legal News Alert is intended to provide information (not advice) about important new legislation or legal developments. The great number of legal developments does not permit the issuing of an update for each one, nor does it allow the issuing of a follow-up on all subsequent developments.

Jonathan N. Halpern
New York, New York