The SolarWinds and Microsoft Exchange breaches remind leaders at agencies the policies that govern cybersecurity across government are not stopping damaging breaches. Remaking the Federal Information Security Management Act, which requires development of agency-wide information security programs, could involve as many as six steps.
- Former Chief Information Officer of the Department of Homeland Security and Internal Revenue Service Richard Spires said reporting is one area FISMA should be reformed, saying it would be better for agencies to address their top five security risks than to go through the Authority to Operate process across all government systems.
- Spires said he also recommends those rewriting FISMA legislation avoid being too specific and include concepts that continue to evolve, like Zero Trust.
- Spires said an enterprise approach to cybersecurity is critical to ensure leaders have necessary visibility.