A new bill to reform the Federal Information Security Modernization Act (FISMA) would require leaders of U.S. government agencies to notify Congress of cyber breaches within five days of an incident occurring.
Other notable measures in the draft bill include the requirement that agency leaders carry out an initial analysis of an incident — and where necessary inform citizens that their data has been compromised — within 30 days. It mandates also that federal IT leaders provide a briefing on the threat within seven days.
Action to reform FISMA comes amid pressure from the White House for departments to improve their cybersecurity systems and to move towards a cloud-based zero-trust architecture. In recent weeks, government technology sources speaking to FedScoop have described FISMA reform as key to clarifying the degree of urgency with which senior leaders at government departments must address cyber concerns, as well as the chain of command when a breach occurs.
Lawmakers through the draft legislation also are seeking to impose new reporting responsibilities for federal government technology contractors, which would force them to notify agencies faster when a breach occurs. The reform would also introduce new cybersecurity training requirements for staff and enhance requirements over how cyber incidents are logged.
In addition, Cybersecurity and Infrastructure Security Agency features heavily in the reform proposals. If enacted, the bill would boost the enforcement powers of the agency’s director and require the agency to establish new quantitative cyber metrics. Director Jen Easterly, along with the director of the Office of Management and Budget, must also come up with a new definition of what constitutes a major cyber incident, under the draft legislation.
Commenting on the proposals, Sen. Peters said: “This bipartisan bill will help secure our federal networks, update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security.”
Portman added: “This bipartisan bill provides the security the American people deserve and the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.”