Senate Bill Targets Government’s Response to Agency-Involved Cyber Incidents

Song_about_summer/Shutterstock.com

Agencies would see new reporting requirements to keep Congress and impacted individuals more informed about security breaches.

Two senior senators introduced legislation late last week that would revamp the Federal Information Security Management Act, or FISMA, to explicitly clarify when and how agencies must alert people affected—and Congress—about breaches to federal data systems. 

The Federal System Incident Response Act put forth by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, marks a bipartisan move to increase transparency, reporting and information-sharing in the government’s response to cybersecurity incidents impacting federal information systems.

Though it was introduced in the final weeks of the 116th Congress, the new bill reflects potential priorities for the forthcoming congressional session, officials confirmed—and it’s connected to a notable provision that could be included in the legislative text of the in-the-works trillion-dollar omnibus spending package. 

The bill is also unintentionally timely. It was released only days before reports surfaced that FBI and Cybersecurity and Infrastructure Security Agency officials are investigating a serious security breach spanning multiple agencies.

“This attack shows that the federal government is the constant target of many cyber adversaries,” Portman told Nextgov via email Monday. “This legislation ensures that those who need to be aware of the impacts of an attack such as the one reported over the weekend are well-informed and able to effectively respond.”

FISMA lays out requirements federal agencies must implement to secure the heaps of sensitive data they house. Last year, as chairman of the Permanent Subcommittee on Investigations, Portman published a comprehensive, bipartisan report that revealed many agencies did not effectively implement comprehensive cybersecurity frameworks as FISMA mandates.

“The recent attack reinforces the need for effective cybersecurity practices and procedures across the federal government,” he said. 

The 29-page bill, shared with Nextgov, would set in motion new sections in FISMA, including one with specific requirements for when Americans must be notified that their information was accessed in an agency breach. It calls on agencies’ leadership to provide written notice to “the last known home mailing address of each” individual who is impacted, “as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after an agency has a reasonable basis to conclude that” an incident occurred. 

In a bid to help mitigate future cyber exploits, the bill also mandates agency heads to detail any information they can about problematic incidents with CISA and the Office of Management and Budget, so that intrusions one department experiences might be matched with similar events at others. Those involved in prior cyber encounters are also urged to provide other agencies experiencing present incidents with information directly, as requested. Among other mandates, the legislation also requires CISA and the FBI to develop and submit reports to appropriate congressional committees summarizing the causes of incidents spanning the federal government, and pushes OMB to produce templates for agencies to help standardize information-sharing in this realm.

Further, the bill also includes several requirements for agencies to keep appropriate Congress members much more in the loop about breaches close to and in the months after they’re uncovered. Such information could prove critical for legislators like Peters, who serves as Ranking Member of the Homeland Security and Governmental Affairs Committee—and is now moving to make it a reality, even if this bill isn’t passed this session.

“Senator Peters is working to include a provision in the omnibus which would make sure that Congress is kept informed when significant cyber-attacks occur on federal agencies,” a Peters aide told Nextgov Monday, referring to the major, forthcoming spending package for fiscal year 2021.

Peters and Portman have previously, consistently partnered on multiple cyber-related bills, including another introduced in October. Portman confirmed that the two have been working on this latest legislation for several months. 

“We received feedback from across the interagency and plan to keep working on the specifics as we move through a potential markup next year,” he said.

Given the soon to shift congressional sessions, the bill would need to be reintroduced on or after Jan. 3 to see a markup in 2021. Still, it suggests cybersecurity will be among top issues pursued by the two lawmakers and on their committees in the next stretch. 

“We are looking ahead to priorities for next Congress and know this will be an early one, so introducing now allows us to have bill text to run by agencies and stakeholders to make sure we're getting it right to move efficiently early on next Congress,” Peters’ aide noted.

“This threat isn’t going away and we need to ensure our federal networks are secure and resilient in the face of attacks,” Portman said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.