On December 8, 2014, the U.S. Senate passed by voice-vote legislation authored by Senator Tom Carper’s (D-DE) Senate Committee on Homeland Security and Governmental Affairs to overhaul the Federal Information Security Modernization Act (“FISMA”).
The Senate-passed bill, similar to legislation unanimously passed by the House in April 2013, would replace the FISMA requirement that agencies must file annual checklists that show the steps they’ve taken to secure their IT systems. The Senate version puts the Department of Homeland Security (“DHS”) in charge of “compiling and analyzing data on agency information security” and helping agencies install tools “to continuously diagnose and mitigate against cyber threats and vulnerabilities, with or without reimbursement.” The House version similarly prescribes steps to “focus on automated and continuous monitoring of agency information systems and regular threat assessments.” However, arising from a jurisdictional disagreement between the House Committee on Homeland Security and the House Committee on Oversight and Governmental Reform, the House version does not make DHS responsible for overseeing federal computer systems.
The House is set to leave Washington at the end of this week, effectively ending any chance to pass legislation through both legislative bodies in the 113th Congress. The limited time left to resolve jurisdictional differences in the House leaves the ultimate fate of FISMA reform legislation uncertain. Notably, with Republicans set to take the Senate majority in January, Senator Carper will no longer chair the Senate Homeland Security Committee in the 114th Congress. Therefore, it is possible that the Senate’s move to pass legislation now is intended to set a policy marker for work on FISMA reform in the next Congress, rather than advance action in the current Congress.