FISMA reform bill amendment cuts agency breach notification period to 72 hours
Federal agencies would have just 72 hours to notify Congress of cyber breaches under a new amendment to the recently proposed FISMA reform bill.
A substitute amendment changing the notification timeframe was adopted during a Senate committee markup Wednesday following criticism and debate over the initial five-day notification requirement.
The original notification period was part of the Federal Information Security Modernization Act of 2021 issued by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, on Monday.
Speaking during the markup hearing, Sen. James Lankford, R-Okla., described the five-day period as “inconsistent” with private sector breach notification requirements. Private sector cybersecurity experts also told FedScoop they were puzzled by requirements in the initial draft legislation that contrasted with requirements that private sector companies disclose breaches within 24 to 72 hours.
The FISMA reform legislation progressed from the committee stage and will now be debated on the floor of the Senate.
The bill is being considered alongside new cyber incident reporting legislation, which has also been proposed by Peters and Portman, that would introduce new legal requirements for the private sector to report cyber breaches. This legislation is intended to improve the ability of law enforcement agencies to respond to ransomware attacks.
Other notable measures in the draft bill include the requirement that agency leaders carry out an initial analysis of an incident — and where necessary inform citizens that their data has been compromised — within 30 days. It mandates also that federal IT leaders provide a briefing on the threat within seven days.
If enacted, the new proposals will also require CISA to appoint a specific cybersecurity adviser from the agency to work with the chief information officer of each government agency.
Existing guidance from the Office of Management and Budget imposes strict breach reporting requirements on agency IT leaders — but these are not supported by legislation.
Memo M-20-04, issued by OMB in November 2019, introduced a 72-hour time limit on the reporting of events to the Department of Homeland Security and OMB — whether or not a root cause is identified — and required that major incidents be reported within one hour.
Notification from agencies of a major incident can trigger a range of events including the convening of a Cyber Unified Command Group — which is an interagency action coorindated by DHS and others. Under memo M-20-04 agencies must also report a major incident to their office of inspector general and Congress within a seven-day period.