Comer: FISMA Needs a Modern Update to Better Deter & Defeat Cyber Threats

WASHINGTON—House Committee on Oversight and Reform Ranking Member James Comer (R-Ky.) opened today’s hearing on “Cybersecurity for the New Frontier: Reforming the Federal Information Security Modernization Act” by calling for a modern update to ensure federal agencies, in coordination with the private sector and government contractors, can better protect against, quickly fix, and deter future damaging digital intrusions. 

In his opening statement, Ranking Member Comer emphasized the importance of the federal government protecting Americans’ sensitive information housed on federal agency systems from bad actors who continue to develop new methods of attack. Ranking Member Comer concluded by thanking Chairwoman Maloney for working in a bipartisan fashion to reform FISMA in order to help agencies address a persistent and quickly evolving threat landscape in a flexible manner.

Below are Ranking Member Comer’s remarks as prepared for delivery.

Thank you, Chairwoman Maloney, for holding this hearing to examine a central law governing federal cybersecurity — the Federal Information Security Modernization Act (FISMA). 

Prior Congresses have not encountered the same array or frequency of cybersecurity threats we face today.

Last year’s breach against SolarWinds exposed weaknesses throughout multiple federal agencies and the private sector.

Just last month, we learned of a new vulnerability infecting an internet tool called “Log4j.”

Some estimate that Log4j is used in nearly a third of all websites, impacting government agencies and businesses large and small.

These incidents highlight why FISMA, a law which assigns cybersecurity roles and responsibilities for the protection of federal information systems, is a critical component in our cyber defense arsenal.

Public and private sector entities continue to play whack-a-mole while hackers take advantage of every possible weakness in information systems. 

A modern update to FISMA will ensure federal agencies, in coordination with the private sector and government contractors, can better protect, disrupt, and deter damaging digital intrusions.

The federal government maintains extensive public records which contain sensitive information on all Americans and the private sector businesses and institutions that drive our economy and civil society.

Congress and the executive branch must be smart and diligent stewards of this sensitive and valuable information.

In examining FISMA, we need to clearly understand the full scope and evolving nature of cybersecurity challenges our government faces before enacting systemic changes.

Recently, the Senate and the Administration addressed FISMA reform through legislation and executive guidance. 

These are important steps, ones that the Chairwoman and I hope to build upon to ensure reforms do not unnecessarily impose restrictive burdens, duplication, or complication.

FISMA reform must provide agencies with the authority to effectively address threats with speed and precision, while also freeing time to continuously monitor new and emerging threats as they arise.

To get this right we must understand a core principle of cybersecurity — that it is impossible to have a completely secure system.

As technology continuously evolves, our systems and networks will become more interconnected, allowing bad actors to continue to discover or engineer new methods of attack.

Any reform must enable federal agencies to respond to an incident in real time to mitigate damage, fix the problem, and effectively share critical information about the attack so it does not happen again.

Burdensome red tape requirements for coordination and outdated compliance checklists cannot remain significant hurdles when responding to major cyber incidents.

Nor should Congress be subjected to delayed and disjointed agency briefings following major incidents.

That said, we also recognize the cyber expertise and knowledge housed within the executive branch, along with government contractors performing valuable cybersecurity services.

We have listened to these experts.

We have accounted for their advice and guidance in drafting House companion legislation.

We greatly appreciate OMB’s technical assistance, and have honored an overarching request to avoid imposition of overly burdensome, bureaucratic reporting and compliance controls which hamper agencies from addressing daily cybersecurity challenges.

I also want to thank the Chairwoman and her staff for working diligently to incorporate this feedback.

I encourage our members to support a streamlined legislative product the Chairwoman and I are crafting which adheres to a risk-based cybersecurity model.

We are confident our approach gives more flexibility to our federal agencies and private sector partners to address a quickly evolving threat landscape.

We are also focused on offering statutory authority enabling agencies to take proactive steps to harden our nation’s cyber defenses.

I am confident that cybersecurity modernization is largely achievable through carefully balanced FISMA reform.

I look forward to hearing from our witnesses, each of whom have unique perspectives in working in this cyber arena.

Together, I hope our collective efforts in reforming FISMA will place the federal government on a solid security footing for years to come, improve coordination, and present a unified front in deterring and defeating cyber threats.

I yield back.