FISMA Update: What’s changing and why it matters

In early October, the Homeland Security and Governmental Affairs Committee announced bipartisan legislation that’s set to make waves in federal civilian cybersecurity. This move to overhaul the Federal Information Security Management Act (FISMA) from 2014 is especially notable as the government became the most targeted sector over the past year, with high-profile incidents shedding light on several areas for improvement. A lot has changed since 2014 when the FISMA bill was last updated by congress. Attacks like the 2020 SolarWinds hack – which uncovered gaps in security coverage for third-party service providers – prove that the threat has intensified. New requirements within the legislation enable greater transparency and accountability around software security, specifically for those who create or manage software in a federal capacity.

Covering the vast threat in government

A robust application security (AppSec) program is critical for scanning and testing web apps that, when left unchecked or mismanaged altogether, can leave entire agencies vulnerable to cybersecurity threats. Amendments to the legislation underscore just how vast the threat landscape can be, especially when varying agencies have their own processes and toolsets. To help offset these and other roadblocks, a handful of requirements will steer the way the government handles cybersecurity moving forward. Notable changes include:

• Cutting the notification period for cyber breaches to 72 hours, which is more aligned with private sector breach notification standards.
• Requiring agency leaders to conduct the initial analysis of a breach, and, if necessary inform impacted citizens within 30 days of the incident.
• Understanding strengths and weaknesses of various agencies to improve processes, reinforce collaboration, and share security responsibilities.

Federal agencies, like teams within an organization, can end up working in silos due to communication barriers and antiquated processes. The need for a more holistic approach to cybersecurity within the federal government is clear, especially as significant threats continue to emerge. The legislation places an emphasis on the need for interconnectivity between agencies, which is critical when evaluating where skill and process gaps might negatively impact security measures.

Staying one step ahead of emerging threats

With such important changes on the horizon, where should orgs start if they want to prepare? Guidelines for risk management outlined for the government by the National Institute of Standards and Technology (NIST) suggest leaning on modern dynamic application security testing (DAST) and interactive application security testing (IAST) platforms, with an emphasis on auto-discovery to identify assets and proof-based verification for automatic validation of flaws. The Cybersecurity and Infrastructure Agency (CISA) also recommends operating under the Zero Trust (ZT) architecture, which, as defined by NIST,  “...assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location.” This provides government entities (and anyone dealing with sensitive data) greater protection for critical resources like services, assets, workflows, and accounts to improve security posture. For more information on government web security, see how Invicti solutions can help and download our whitepaper: Flexible Web Application Security Testing Deployments For Government Agencies.