Tuesday, February 1, 2022

Review - HR 6497 Introduced – FISMA Update

Last week, Rep Maloney (D,NY) introduced HR 6497, the Federal Information Security Modernization Act of 2022. The bill is one of the periodic updates of the Federal Information Security Management Act (FISMA, 44 USC 3551 et seq) which outlines the cybersecurity programs for the federal government. It also includes two additional Titles:

Title II – Improving Federal Cybersecurity, and

Title III - Pilot Programs To Enhance Federal Cybersecurity

Moving Forward

Maloney is the Chair of the House Oversight and Reform Committee to which this bill is assigned for consideration. As I mentioned yesterday, the bill is currently scheduled to be considered by the Committee tomorrow. With the bipartisan co-sponsorship (8 Democrats and 8 Republicans) that this bill has, I expect the bill to be favorably reported at the end of tomorrow’s hearing with strong (perhaps a voice vote) bipartisan support, though there may be some amendments offered. The full bill will be taken up by the full House later this year and there is a good chance that the bill will be considered under the suspension of the rules process. In any case, I would suspect the bill to pass with strong bipartisan support.


This bill continues the congressional ignorance of the fact that there are operations technology systems in the federal government that need cybersecurity protections that might be different than the protections required for purely information systems. One needs to read no further than the definitions in 44 USC 3552 (and by reference §3502) to see the truth of that assertion. This bill could be a first step in correcting that oversight by including the following new and revised definitions in §3552:

Control System - the term ‘control system’ means a discrete set of information resources, sensors, communications interfaces and physical devices organized to monitor, control and/or report on physical processes, including manufacturing, transportation, access control, and facility environmental controls;

Incident - the term "incident" means an occurrence that actually or imminently jeopardizes, without lawful authority;

(A) the integrity, confidentiality, or availability of information on an information system,

(B) the timely availability of accurate process information, the predictable control of the designed process or the confidentiality of process information, on a control system or

(C) an information system or a control system;

Information System – the term information system has the meaning given that term in §3502 and includes controls systems as defined in this section;


For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-6497-introduced - subscription required.

No comments:

/* Use this with templates/template-twocol.html */