There are 150+ pieces of cybersecurity-related legislation advancing through Congress, and one of those pieces is the Federal Information Security Modernization Act, or FISMA.
In January 2022, Congressional members of the Oversight and Reform Committee introduced FISMA 2022 (the new bill is an update from a version enacted in 2002). The purpose of the bipartisan bill, as stated, is to “take a cutting-edge and strategic approach to ensure federal IT systems can better prepare for and respond to today’s cyber challenges.”
Here we examine whether this piece of legislation addresses basic security fundamentals - such as strong passwords, multi-factor authentication (MFA), and basic password management - and how well it does so.
In March, SC Media reported the House and Senate were ‘very close’ to an agreement on FISMA.
As evidenced by the Bitwarden State of Password Security report, when it comes to cybersecurity there are quite a few cooks in the kitchen. This can be both a good and bad thing. It’s good if each agency has a specific, differentiated role and not great if those roles all bleed together. That’s why the first objective of the bill - agency differentiation - is welcome and laudable. And, that take is the same for the remainder of the objectives.
Legacy strategies, such as placing undue emphasis on perimeter-based security, need to evolve into something much more powerful. Proactivity is always preferable to reactivity. Some level of compliance oversight is necessary, but it shouldn’t be so burdensome as to take away from the actual task at hand: securing data. Software Bill of Materials, or SBOMs, as the Cybersecurity and Infrastructure Security Agency (CISA) rightly points out, are “a key building block in software security and software supply chain risk management.” Better communication between agencies is vital.
But in considering all of this, it’s striking that nowhere in the bill’s text is there mention of passwords. Passwords are a critical component of security. A strong password is one of the first barriers to preventing a data breach.
One of the more recent, egregious examples of a weak password security culture involved SolarWinds. While accounts differ as to how big of a role the password ‘solarwinds123’ played in leading to the company’s breach, no one within the organization should have been using a password of that nature.
We’re not sure why language about passwords were left out - or why multi-factor authentication (MFA) or two-factor authentication (2FA) weren’t mentioned in the text. The reasons might be innocuous. Perhaps the bill’s authors wanted to focus on what they perceived as the big picture and assume strong password security is a given. Still, the exclusion was, well, an oversight from the Oversight Committee.
Put forth by House Committee Oversight and Reform Chairwoman Carolyn B. Maloney and Ranking Member James Comer, the strategic aim of the bill is to "advance a risk-based cybersecurity posture, modernize and streamline reporting requirements to enhance security through automation, and expand inventories and information-sharing for improved security. FISMA 2022 also clarifies and streamlines the roles of the National Cyber Director, the Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, the Federal Chief Information Security Officer, and other federal entities to better coordinate efforts to mitigate and respond to cyber incidents.
After reviewing the bill’s accompanying one-pager, our layman’s breakdown is that the bill:
Differentiates between and assigns certain roles to specific agencies, so that they don’t duplicate efforts or step on each others turf
Promotes (and hopefully, actually implements) security strategies that have been in use within the private sector, such as zero trust security, cloud migration, automation, penetration testing, and vulnerability disclosure. It claims it wants to replace ‘point-in-time assessments with ongoing and continuous risk assessments’, which we take to mean it wants federal agencies to be more proactive than reactive
Emphasizes a reduction in compliance-related reporting requirements and instead leans into continuous monitoring through automation
Encourages agencies to keep inventory of all internet-enabled systems and software (including software components and bills of materials)
Puts the onus on CISA to find ways for agencies to better communicate with each other about their cybersecurity achievements and challenges
Have any cybersecurity-related bills in mind that you’re interested in seeing Bitwarden explore further? Give us a shout on Twitter.