Senate Bill Targets Government’s Response to Agency-Involved Cyber Incidents

Two senior senators introduced legislation late last week that would revamp the Federal Information Security Management Act, or FISMA, to explicitly clarify when and how agencies must alert people affected—and Congress—about breaches to federal data systems. 

The Federal System Incident Response Act put forth by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, marks a bipartisan move to increase transparency, reporting and information-sharing in the government’s response to cybersecurity incidents impacting federal information systems.

Though it was introduced in the final weeks of the 116th Congress, the new bill reflects potential priorities for the forthcoming congressional session, officials confirmed—and it’s connected to a notable provision that could be included in the legislative text of the in-the-works trillion-dollar omnibus spending package. 

The bill is also unintentionally timely. It was released only days before reports surfaced that FBI and Cybersecurity and Infrastructure Security Agency officials are investigating a serious security breach spanning multiple agencies.

“This attack shows that the federal government is the constant target of many cyber adversaries,” Portman told Nextgov via email Monday. “This legislation ensures that those who need to be aware of the impacts of an attack such as the one reported over the weekend are well-informed and able to effectively respond.”

FISMA lays out requirements federal agencies must implement to secure the heaps of sensitive data they house. Last year, as chairman of the Permanent Subcommittee on Investigations, Portman published a comprehensive, bipartisan report that revealed many agencies did not effectively implement comprehensive cybersecurity frameworks as FISMA mandates.

“The recent attack reinforces the need for effective cybersecurity practices and procedures across the federal government,” he said. 

The 29-page bill, shared with Nextgov, would set in motion new sections in FISMA, including one with specific requirements for when Americans must be notified that their information was accessed in an agency breach. It calls on agencies’ leadership to provide written notice to “the last known home mailing address of each” individual who is impacted, “as expeditiously as practicable and without unreasonable delay, and in any case not later than 30 days after an agency has a reasonable basis to conclude that” an incident occurred. 

In a bid to help mitigate future cyber exploits, the bill also mandates agency heads to detail any information they can about problematic incidents with CISA and the Office of Management and Budget, so that intrusions one department experiences might be matched with similar events at others. Those involved in prior cyber encounters are also urged to provide other agencies experiencing present incidents with information directly, as requested. Among other mandates, the legislation also requires CISA and the FBI to develop and submit reports to appropriate congressional committees summarizing the causes of incidents spanning the federal government, and pushes OMB to produce templates for agencies to help standardize information-sharing in this realm.

Further, the bill also includes several requirements for agencies to keep appropriate Congress members much more in the loop about breaches close to and in the months after they’re uncovered. Such information could prove critical for legislators like Peters, who serves as Ranking Member of the Homeland Security and Governmental Affairs Committee—and is now moving to make it a reality, even if this bill isn’t passed this session.

“Senator Peters is working to include a provision in the omnibus which would make sure that Congress is kept informed when significant cyber-attacks occur on federal agencies,” a Peters aide told Nextgov Monday, referring to the major, forthcoming spending package for fiscal year 2021.

Peters and Portman have previously, consistently partnered on multiple cyber-related bills, including another introduced in October. Portman confirmed that the two have been working on this latest legislation for several months. 

“We received feedback from across the interagency and plan to keep working on the specifics as we move through a potential markup next year,” he said.

Given the soon to shift congressional sessions, the bill would need to be reintroduced on or after Jan. 3 to see a markup in 2021. Still, it suggests cybersecurity will be among top issues pursued by the two lawmakers and on their committees in the next stretch. 

“We are looking ahead to priorities for next Congress and know this will be an early one, so introducing now allows us to have bill text to run by agencies and stakeholders to make sure we're getting it right to move efficiently early on next Congress,” Peters’ aide noted.

“This threat isn’t going away and we need to ensure our federal networks are secure and resilient in the face of attacks,” Portman said.