House and Senate ‘very close’ on FISMA, FedRAMP agreement, says Senate Homeland chairman

Sen. Gary Peters, D-Mich., said Wednesday that after the passage of new cyber incident reporting legislation, lawmakers in the House and Senate are closing on another top priority: reaching agreement over legislative updates to the federal government’s cybersecurity hierarchy and primary cloud security certification program.

“This situational awareness [from cyber incident reporting] is essential to get that information in which will protect us, but we can’t stop there,” said Peters, who chairs the Senate Homeland Security and Governmental Affairs Committee. “We want to do the FISMA reform and FedRAMP legislation. We’re in discussions with the House right now and we’re very close to coming up with an agreement ... and we’re hoping we can get it passed as quickly as possible.”

The two bills, the Federal Information Security Modernization Act of 2021 and the FedRAMP Authorization Act, were part of a combined legislative package introduced by committee leaders that, along with the Cyber Incident Reporting Act, passed unanimously through the Senate in February.

However, the incident reporting provision was stripped out and inserted into the latest spending bill, while FISMA and FedRAMP were left out, something Peters described as an attempt to move more quickly on a consensus item that Congress, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) officials have said is critical to providing visibility over the frequency and depth of cyberattacks against U.S. companies.

“We believe it was absolutely essential that we get the cyber incident reporting bill into law as quickly as possible, and we seized that opportunity with our omnibus budget bill to be able to put that in and to get it written into law and now in effect,” said Peters.

Differences remain on FISMA bills

Part of the reason the two bills were not included in the omnibus, according to congressional sources with knowledge of the matter, is that there are outstanding differences between the House and Senate versions of FISMA, in part related to consternation from officials at the Office of Management and Budget (OMB) regarding the agency’s role in the federal cybersecurity hierarchy as Congress seeks to elevate newer entities like CISA and the National Cyber Director’s Office.

The FISMA update puts CISA and the newly created position of national cyber director in an advisory role to the director of the OMB when it comes to setting information security policies and agency information collection practices. It would also codify CISA’s role as the “lead entity for operational cybersecurity coordination across the federal government” and legally require other agencies to loop CISA into some of the security plans they provide to OMB.

The House version appears to nod at some of these concerns, for example by codifying the federal chief information security officer (CISO) role housed within OMB. A request for comment sent to a press official for the House Homeland Security Committee was not immediately returned.

In pushing FISMA, Peters alluded to the need for “clear lines of command and control” that agencies to follow and rely on when it comes to responding to hacks inside and outside the federal government.

“How do we streamline things, how do we break down silos? It’s one of the biggest frustrations for me and it's why the FISMA bill is so important, is you have all these silos,” said Peters. “Everyone does [the same] things, you get duplication, you get lack of coordination. It’s not the way to run a business and it’s not the way to run what has to be a Homeland Security defense force that has to work in a coordinated way with clear lines of command and control.”

Order of operations for FedRAMP delay?

There is thought to be less disagreement over the bill to codify and update the FedRAMP program, where versions have already passed the House and Senate.

However, according to the same sources, Sen. Rob Portman, R-Ohio, ranking Republican on the Homeland Security and Governmental Affairs, has expressed a desire to see FISMA reform (which he views as a higher priority) passed before or concurrently with any FedRAMP codification, and as a result the delays with FISMA may have also impeded FedRAMP’s inclusion in the spending package.

Portman briefly withheld his support from the FedRAMP bill last year while seeking changes that would ensure cloud providers relied on by the federal government weren’t outsourcing any parts of their code development to countries like Russia and China.