CONGRESSWOMAN ELISE STEFANIK
On Tuesday, April 16, 2013, the House will consider H.R. 1163, the Federal Information Security Amendments Act of 2013, under a suspension of the rules. H.R. 1163 was introduced on March 14, 2013 by Rep. Darrell Issa (R-CA) and was referred to the Committee on Oversight and Government Reform, which held a markup and reported the bill by a voice vote.
H.R. 1163 enhances the Federal Information Security Management Act of 2002 (FISMA) by improving the framework for securing federal information technology (IT) systems. The bill establishes stronger oversight of federal agency IT systems by focusing on “automated and continuous monitoring” of cybersecurity threats and by regular “threat assessments.” In addition, H.R. 1163 reaffirms the authority of the Director of the Office of Management and Budget (OMB) to oversee agency information and security policies and practices. By permitting some flexibility, though, H.R. 1163 continues to allow DHS, under the direction of OMB, to exercise responsibility within the executive branch for many of the operational aspects of FISMA. This is done while allowing the Executive Office of the President to be held firmly accountable for ensuring that individual agencies meet the new standards.
H.R. 1163 expands the security requirements of federal agencies, and directs senior agency officials—with a frequency sufficient to support risk-based security decisions—to 1) test and evaluate information security controls, and 2) conduct threat assessments by monitoring information systems and identifying potential vulnerabilities. Current law requires only periodic testing and evaluation.
H.R. 1163 directs agencies to collaborate with OMB and appropriate public and private sector security operations centers on security incidents that go beyond the control of an agency. The bill also requires that security incidents be reported, through an automated and continuous monitoring capability when possible, to the federal information security incident center, appropriate security operations centers, and agency Inspector General.
The bill requires the head of each agency to designate a Chief Information Security Officer, who has the authority and primary responsibility to develop, implement and oversee an agency-wide information security program, to ensure and enforce compliance with the requirements imposed on the agency. This designation is already made by some agencies, but H.R. 1163 would make it uniform across the federal government.
Cybersecurity threats have significant national security and economic consequences, and the risks are rapidly and continuously evolving. According to the Government Accountability Office (GAO), federal agencies have experienced a “dramatic increase in reports of security incidents,” with the total number of reported cybersecurity incidents increasing by 782 percent from 2006 to 2012.
The Federal Information Security Management Act of 2002 (FISMA), which became Title III of the E-Government Act of 2002, tasked each federal agency with implementing security controls over information that supports federal operations and assets. In addition, FISMA gave the Director of the OMB authority for overseeing the agencies’ information security policies and practices. Since FISMA was enacted, compliance has become more of a routine formality than a rigorous means of enhancing security. H.R. 1163 was introduced to update FISMA to account for the technological developments since its enactment, and to enhance “real-time” cybersecurity.
The House passed identical legislation (H.R. 4257) in the 112th Congress on April 26, 2012 by a voice vote, but the Senate did not take up the measure.
 U.S. Government Accountability Office, Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented, Feb. 2013, http://www.gao.gov/assets/660/652170.pdf.
 See PL 107-347.
The CBO estimates that implementing H.R. 1163 would cost $620 million over the 2014-2018 period, assuming that the necessary amounts are made available from appropriated funds. Enacting the bill would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. For more information, see CBO’s cost estimate on H.R. 1163.