House Passes FISMA Reform Bill: As part of its “Cyber Week” activities, the House passed H.R. 1163 the Federal Information Security Amendments Act of 2013 this week by a vote of 416-0. The bill, introduced by House Oversight and Government Reform Chairman Darrell Issa (R-CA) and Ranking Member Elijah Cummings (D-MD) amends the Federal Information Security Management Act of 2002 (FISMA) to reestablish the oversight authority of the Director of the Office of Management and Budget (OMB) with respect to agency information and security policies and practices. The bill adds security controls for IT systems government-wide, and requires agencies to implement continuous monitoring, conduct threat assessments and maintain secure facilities. According to the Congressional Budget Office the bill will cost $620 million over 4 years to implement. Here’s the GPO Summary.
Cybersecurity Enhancement Act Moves through House: The House also passed H.R. 756, the Cybersecurity Enhancement Act of 2013. This bill, introduced by House Homeland Security Chairman Mike McCaul (R-TX), requires the development of a strategic plan to guide cybersecurity research and development across the federal government. In developing the plan, the bill requires that advice be solicited from federal and private stakeholders, including industry, academia, and other relevant organizations. H.R. 756 also requires the President to submit to Congress an assessment of the federal government’s cybersecurity workforce needs, including the needs of each agency and department, the skills sought by the federal government and the private sector in this field, and the capacity of institutions of higher education to meet the workforce needs. From a public sector standpoint, the legislation aims to codify NIST’s role in the development of cloud computing for the federal government by requiring that the NIST Director work in collaboration with the Federal CIO Council to continue to encourage the development of a comprehensive strategy for the use and adoption of cloud computing by federal agencies. See the bill text and summary here.
CIO Council Releases Federal Shared Services Implementation Guide: As a follow up to the Federal IT Shared Services Strategy released in May 2012, the CIO Council released the Federal Shared Services Implementation Guide on April 16, 2013 to provide information and guidance on the provisioning and consumption of shared services in the Federal Government. The guide provides agencies with high level processes and key considerations for “defining, establishing and implementing interagency shared services to help achieve organizational goals, improve performance, increase return on investment and promote innovation,” according to the released guide. The release of the implementation guide demonstrates the continued commitment of the Obama Administration to leveraging shared services government-wide as they believe there are significant cost savings opportunities to be achieved as a result. Here’s the link to the guide.
GSA releases application for FedRAMP 3PAO accreditation organizations: On April 15, 2013, GSA released the application for private sector entities to apply to take over the process by which FedRAMP Third-Party Assessment Organizations are chosen. The decision to move forward with this was made following the RFI that GSA released on the same subject back on February 15th. The idea behind this is to take some of the burden off GSA while adding bandwidth to the FedRAMP 3PAO program, with the hope of moving more cloud service providers through the process more quickly. To date there have been 17 3PAOs certified and two companies who have received their provisional authorization through the FedRAMP program. GSA stopped accepting applications for additional 3PAOs in March. Here’s the link to the FBO announcement.
DISA ready to move forward as DOD’s “cloud broker”: On April 16th DISA announced that it has the framework in place to act as the overall cloud broker for the Department of Defense responding to a task assigned by Defense CIO Teri Takai last June, which made DISA the Department’s internal cloud broker. According to this article in NextGov DISA said it has performed cybersecurity assessments of two commercial cloud providers approved under the FedRAMP program but did not name the companies. The article also points out that DISA continues to conduct security assessments to expand future cloud alternatives and is working on model contract language supporting the use of commercial cloud providers. On a side note, as has been reported, there are only two providers approved under the FedRAMP program, CGI Federal and Autonomic Resources.
Michael Hettinger is VP for the Public Sector Innovation Group (PSIG) at SIIA. Follow his PSIG tweets at @SIIAPSIG. Sign up for the Public Sector Innovation Roundup email newsletter for weekly updates.