By Kathryn Daily, CISSP, CAP, RDRP
On February 7, 2022, The Office of the Director of National Intelligence (ODNI) released the Annual Threat Assessment of the U.S. Intelligence Community. In its assessment of Russia and their Cyber capabilities, ODNI assessed that Russia will remain a top cyber threat as it refines and employs its espionage, influence, and attack capabilities, as well as a deterrence and military tool. For a year, lawmakers in Congress have been considering a version of the Strengthening American Cybersecurity Act. With Russia’s decision to attack Ukraine in February 2022 however, the senate unanimously passed the legislation.
“Cyber warfare is truly one of the dark arts specialized by Putin and his authoritarian regime, and this bill will help protect us from Putin’s attempted cyber-attacks against our country,” Senate Majority Leader Chuck Schum-er (D-N.Y.) said on the Senate floor.
The bill contains three separate pieces of legislation:
- Requirement for critical infrastructure to report cyber attacks to the Cybersecurity and Infra-structure Security Agency (CISA) within 72 hours
- Federal Information Security Modernization Act of 2022
- Federal Secure Cloud Improvement and Jobs Act of 2022
Once the legislation passes the house, where it has broad bipartisan support, it will go to the President’s desk for signature.
The FISMA update is the most significant part of the legislation. FISMA has not been updated since 2014 which is an exceptionally long time in the tech world. First, FISMA 2022 would require agency progress reports on implementing zero trust security based on the multi-year zero trust strategy with goals and milestones released last year by the White House. Additionally, FISMA 2022 pushes agencies to increase the use of automation to improve federal cyber security and visibility, as well as the use of presumption of compromise and least privilege principles to improve resiliency and timely response actions to incidents on Federal Systems. This new addition plays nicely into the Continuous Authorization to Operate (cATO) Memo released by DoD last month. FISMA 2022 also reduces FISMA reporting requirements by moving to an “every two years” assessment cadence from the current annual assessment requirement. To understand the totality of risk within the environment, agencies would be required to inventory their internet-accessible information systems and assets and allow CISA to perform risk assessments of agencies on an ongoing and continuous basis. Lastly, FISMA 2022 requires OMB, CISA and the National Cyber Director to develop a “risk-based budget model” for cyber security by identifying and prioritizing cybersecurity risks and vulnerabilities, including impact on agency operations in the case of a cyber-attack.
The intent of this update is to determine our federal cybersecurity posture for years to come. Hopefully not too many years before the next update! 8 years was a long time in the ever-changing tech industry!