A key Senate committee has released legislation updating how agencies prepare for and respond to cyber attacks, including requirements for federal civilian agencies and contractors to share more information about attacks on their systems.
The Homeland Security and Governmental Affairs Committee released the “Federal Information Security Modernization Act of 2021” today. The panel will mark up the bill during a hearing Wednesday.
The legislation would update FISMA for the first time since 2014. It aims to codify the Cybersecurity and Infrastructure Security Agency’s central role in federal cybersecurity response efforts, as CISA only became an independent agency in 2018.
And it comes after major cyber attacks on federal networks in recent years, most notably the SolarWinds campaign where attackers breached the networks of at least nine U.S. agencies.
“Since Congress last addressed this critical issue, online threats have rapidly evolved and CISA had not yet been created,” Chairman Gary Peters (D-Mich.) said. “This bipartisan bill will help secure our federal networks, update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security.”
The bill would give federal executive civilian branch agencies up to 30 days after a breach has occurred to determine whether to give notice to individuals potentially affected by the hack based on “an assessment of the risk of harm to the individual,” such as whether their personally identifiable information was pilfered.
It would also require agencies to report “any information relating to any incident, whether the information is obtained by the federal government directly or indirectly,” to CISA and the White House Office of Management and Budget.
The bill would also require agencies to keep Congress apprised of any significant cyber attacks. The legislation would give agencies five days from determining that a “major incident” has occurred to provide a written report and briefing to relevant congressional committees, including both HSGAC and the House Homeland Security Committee.
Federal contractors and grantees would be required to “immediately report” to their awarding agency whether an incident or breach occurred affecting federal data or information systems. The agency would then work with the contractor to report the details to CISA and Congress, if necessary.
Peters and HSGAC Ranking Member Rob Portman (R-Ohio) released a bill last week requiring critical infrastructure owners and operators to report cyber incidents to CISA within 72 hours. The committee will also mark up that bill during Wednesday’s hearing.
In addition to incident reporting and information sharing requirements, the FISMA modernization bill would also have CISA assign its cybersecurity professionals to serve as advisors to the chief information officers of each civilian agency.
It would also give CISA 540 days — about 18 months — to establish a program providing “ongoing, hypothesis-driven threat-hunting services on the network of each agency.” The 2021 National Defense Authorization Act already provided CISA with authority to do threat hunting on federal government websites.
The bill would bolster many of the directives in President Joe Biden’s May executive order on cybersecurity, including a requirement for OMB, CISA and the National Institute of Standards and Technology to issue guidance for agencies to implement “presumption of compromise and least privilege principles” in line with the zero trust architecture concept.
The legislation would give OMB plenty of new homework, including coming up with a new “risk-based budget model” to guide cybersecurity spending at agencies. The model would consider cyber threat intelligence and the interconnectivity of agency systems to “indicate where resources should be allocated to have the greatest impact on mitigating current and future threats and current and future cybersecurity capabilities.”
It would be used to inform the acquisition and sustainment of major IT systems and cyber tools, as well as the development of personnel policies and new concepts of operations.