By NHI Mgmt Group Editorial TeamPublished 2025-12-18Domain: Governance & RiskSource: Bitwarden

TL;DR: The analysis of FISMA 2022 argues that the bill modernises federal cyber governance around risk, automation, inventories, and agency coordination while still omitting explicit requirements for passwords, MFA, and basic access hygiene, according to Bitwarden. The gap matters because governance reform that skips core identity controls can modernise reporting without materially reducing compromise pathways.


At a glance

What this is: This is an editorial analysis of FISMA 2022 that finds the bill modernises federal cyber governance while omitting explicit password and MFA language.

Why it matters: It matters because IAM programmes only improve when policy reform reinforces basic identity controls, not when it replaces them with reporting and coordination alone.

By the numbers:

👉 Read Bitwarden’s analysis of FISMA 2022 and the federal password gap


Context

FISMA 2022 is a federal cybersecurity governance bill, and the article’s central claim is that modernisation can still miss the most basic identity controls. In practice, that means policy can advance on automation, inventories, and reporting while leaving password hygiene and MFA under-specified.

That gap matters for IAM because weak authentication is not a niche control problem. When legislation treats identity assurance as implied rather than explicit, agencies risk building a more coordinated compliance model without materially improving access security.


Key questions

Q: Why do federal cybersecurity policies need explicit password and MFA requirements?

A: Because broad security language does not guarantee consistent implementation. Explicit password and MFA requirements turn identity assurance into a testable control, reduce ambiguity across agencies, and make it possible to audit whether access protection is actually improving rather than just being described in policy.

Q: What breaks when identity controls are assumed rather than named in policy?

A: Agencies end up with uneven enforcement, unclear ownership, and gaps between reported compliance and real access protection. Assumed controls are easy to overlook in legacy systems, exception paths, and shared service models, which is where compromise risk often concentrates.

Q: How should teams measure whether continuous monitoring is improving IAM?

A: They should measure whether monitored controls are actually enforced, such as MFA coverage, password policy compliance, privileged account review completion, and exception closure. If monitoring only produces dashboards, it is reporting activity rather than security improvement.

Q: Who is accountable for identity assurance in a shared governance model?

A: Each agency or function needs explicit ownership for authentication standards, access review, and remediation. Shared governance can coordinate efforts, but it cannot replace a named owner for the identity controls that determine whether access is safe.


Technical breakdown

Why password controls still anchor federal identity assurance

Passwords remain the first line of defence in many identity stacks because they gate initial authentication and influence the blast radius of account takeover. When a bill or programme talks about risk-based security but does not explicitly name password management, it leaves implementation open to interpretation. That matters because policy language shapes procurement, control baselines, and audit expectations. A modern security posture still has to address credential quality, reuse, rotation, and recovery paths, especially where legacy systems remain in service.

Practical implication: require explicit password hygiene standards in any control baseline, not just general language about secure access.

Why MFA cannot be treated as an implied control

Multi-factor authentication reduces the chance that a single compromised secret becomes a full account compromise, but it only works when it is mandated, consistently enforced, and paired with sensible exception handling. The article notes that MFA and 2FA are absent from the bill’s text, which is a governance issue rather than a technical one. If the policy layer is silent, agencies can claim modernisation while leaving authentication strength to local interpretation. That creates uneven assurance across departments and systems.

Practical implication: make MFA a named control requirement with measurable coverage targets and exception review.

How agency differentiation should support continuous risk management

The bill’s emphasis on differentiated roles, automation, inventories, and continuous monitoring reflects a move away from point-in-time compliance. That direction is sound, but it only works if agencies know exactly which identity and access controls each party owns. Continuous risk assessment should not become continuous ambiguity. The operating model has to show who owns authentication, who owns privileged access review, and who owns remediation when access controls fail. Otherwise, automation accelerates reporting without accelerating reduction in exposure.

Practical implication: map identity control ownership across agencies before automating reporting or assessment workflows.


NHI Mgmt Group analysis

FISMA modernisation without explicit authentication language leaves a policy blind spot. The bill’s focus on automation, inventories, and agency coordination is directionally right, but it does not substitute for named identity controls. Passwords and MFA are not peripheral details. They are the governance primitives that determine whether risk-based security can actually reduce compromise. The practitioner lesson is that modern governance still has to name the controls that stop account takeover.

Basic identity hygiene is still a legislative control, not just an operational preference. The article implicitly treats passwords as assumed infrastructure, yet the SolarWinds example shows how weak credential practice can sit beneath even sophisticated programmes. That is a governance failure mode, not a tooling gap. When legislation avoids explicit identity assurance requirements, agencies can over-index on process reform while under-specifying the controls that protect access itself. Practitioners should treat omission as a signal to tighten their own baselines.

Continuous monitoring only improves security when the underlying access model is already disciplined. FISMA 2022’s move toward ongoing assessment can help, but only if the identity layer is stable enough to measure. If passwords are weak, MFA is optional, or privileged access is inconsistently governed, continuous monitoring becomes a better reporting engine rather than a better defence. The implication is straightforward: measure identity controls first, then automate their oversight.

Agency differentiation should reduce control overlap, not dilute accountability for identity assurance. The bill’s role clarity is useful, but identity security breaks down when everyone coordinates and no one owns the authentication baseline. That is the broader lesson for federal IAM programmes: shared governance does not remove the need for explicit control ownership. The practitioner conclusion is that access assurance must be assigned, testable, and auditable across agencies.

From our research:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
  • That same governance gap is visible in identity programmes that treat access assurance as implied, which is why the Ultimate Guide to NHIs , Key Challenges and Risks remains a practical reference.

What this signals

Identity governance is most effective when policy names the controls that must exist, not just the outcomes it wants. When federal modernisation focuses on automation and coordination without explicit authentication requirements, the result can be cleaner reporting but weaker assurance. The broader lesson for IAM leaders is that control specificity still matters more than governance ambition.

Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, according to The State of Non-Human Identity Security, which is a reminder that access assurance remains fragile even before programmes add automation or shared-service complexity. Teams should expect the same fragility wherever identity controls are assumed rather than enforced.


For practitioners

  • Add explicit password and MFA requirements to policy baselines Translate broad security language into named controls for password strength, MFA coverage, exception handling, and recovery processes. If a policy cannot be tested against an access review, it is too vague to protect identity assurance.
  • Map control ownership before automating compliance reporting Assign clear responsibility for authentication, privileged access review, and remediation across departments. Automation should follow ownership mapping, not replace it.
  • Treat monitoring as a verification layer, not a substitute for controls Use continuous monitoring to confirm that password and MFA rules are enforced, exceptions are documented, and privileged accounts are reviewed. Monitoring cannot compensate for undefined access standards.
  • Review legacy systems for authentication exceptions Inventory older platforms that cannot support modern authentication patterns and define compensating controls for them. Legacy exceptions are where policy language often breaks down first.

Key takeaways

  • FISMA 2022 modernises cyber governance, but the article argues that it still under-specifies the identity controls that stop account compromise.
  • The biggest gap is not strategy, but execution detail: passwords and MFA must be named if agencies want measurable access assurance.
  • Practitioners should turn broad policy language into explicit control baselines, then verify those controls through continuous oversight.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Federal access controls need explicit identity assurance requirements.
NIST SP 800-63Password and MFA language maps to digital identity assurance expectations.
NIST Zero Trust (SP 800-207)AC-4Zero trust depends on explicit verification, not assumed access safety.

Align federal access governance to zero trust by making verification and least privilege explicit.


Key terms

  • Authentication Assurance: Authentication assurance is the degree of confidence that the entity presenting credentials is genuinely the subject being authenticated. In identity programmes, it depends on factors such as password strength, MFA, recovery controls, and how consistently those controls are enforced across systems.
  • Control Baseline: A control baseline is the minimum set of security requirements that must exist before a system or programme can be considered compliant. For identity security, it should name password policy, MFA, privilege review, and exception handling so that governance can be tested rather than implied.
  • Continuous Monitoring: Continuous monitoring is the ongoing review of security signals to confirm that controls remain effective over time. In identity governance, it should validate that authentication rules are enforced, privileged accounts are reviewed, and exceptions are resolved, not just that dashboards are populated.

What's in the full article

Bitwarden's full post covers the policy-level details this post intentionally leaves for the source:

  • The article’s plain-language breakdown of each FISMA 2022 objective and how it maps to federal cyber priorities
  • The SolarWinds example used to illustrate why weak passwords still matter in modern security programmes
  • The bill’s emphasis on continuous monitoring, automation, and inventory management across federal systems
  • The specific agency roles Bitwarden says the bill tries to clarify, including CISA and the National Cyber Director

👉 Bitwarden’s full post covers the bill’s control priorities, agency roles, and identity oversight critique.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-12-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org