TL;DR: The analysis of FISMA 2022 argues that the bill modernises federal cyber governance around risk, automation, inventories, and agency coordination while still omitting explicit requirements for passwords, MFA, and basic access hygiene, according to Bitwarden. The gap matters because governance reform that skips core identity controls can modernise reporting without materially reducing compromise pathways.
NHIMG editorial — based on content published by Bitwarden: FISMA 2022 analysis and the password security gap
By the numbers:
- There are 150+ pieces of cybersecurity-related legislation advancing through Congress.
Questions worth separating out
Q: Why do federal cybersecurity policies need explicit password and MFA requirements?
A: Because broad security language does not guarantee consistent implementation.
Q: What breaks when identity controls are assumed rather than named in policy?
A: Agencies end up with uneven enforcement, unclear ownership, and gaps between reported compliance and real access protection.
Q: How should teams measure whether continuous monitoring is improving IAM?
A: They should measure whether monitored controls are actually enforced, such as MFA coverage, password policy compliance, privileged account review completion, and exception closure.
Practitioner guidance
- Add explicit password and MFA requirements to policy baselines Translate broad security language into named controls for password strength, MFA coverage, exception handling, and recovery processes.
- Map control ownership before automating compliance reporting Assign clear responsibility for authentication, privileged access review, and remediation across departments.
- Treat monitoring as a verification layer, not a substitute for controls Use continuous monitoring to confirm that password and MFA rules are enforced, exceptions are documented, and privileged accounts are reviewed.
What's in the full article
Bitwarden's full post covers the policy-level details this post intentionally leaves for the source:
- The article’s plain-language breakdown of each FISMA 2022 objective and how it maps to federal cyber priorities
- The SolarWinds example used to illustrate why weak passwords still matter in modern security programmes
- The bill’s emphasis on continuous monitoring, automation, and inventory management across federal systems
- The specific agency roles Bitwarden says the bill tries to clarify, including CISA and the National Cyber Director
👉 Read Bitwarden’s analysis of FISMA 2022 and the federal password gap →
FISMA 2022 and the password gap federal security teams cannot ignore?
Explore further
FISMA modernisation without explicit authentication language leaves a policy blind spot. The bill’s focus on automation, inventories, and agency coordination is directionally right, but it does not substitute for named identity controls. Passwords and MFA are not peripheral details. They are the governance primitives that determine whether risk-based security can actually reduce compromise. The practitioner lesson is that modern governance still has to name the controls that stop account takeover.
A few things that frame the scale:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who is accountable for identity assurance in a shared governance model?
A: Each agency or function needs explicit ownership for authentication standards, access review, and remediation. Shared governance can coordinate efforts, but it cannot replace a named owner for the identity controls that determine whether access is safe.
👉 Read our full editorial: FISMA 2022 still overlooks passwords, MFA and basic access hygiene