The top senators on a homeland security committee on Monday released a bipartisan bill that updates existing information security law and would require federal civilian agencies to report all cybersecurity incidents on their networks to the Cybersecurity and Infrastructure Security Agency (CISA).
The Federal Information Security Modernization Act (FISMA) of 2021 would also provide authorities to CISA to ensure the Department of Homeland Security agency has the lead for responding to incidents and breaches on federal civilian networks.
The new measure, which would overhaul and update 2014 legislation on FISMA, follows a bill introduced last week by Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio), the chairman and ranking member, respectively, of the Senate Homeland Security and Governmental Affairs Committee, that would mandate that owners and operators of critical infrastructures report cyber-attacks to CISA within 72 hours of detection.
“This bipartisan bill provides the security the American people deserve and the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised,” Portman said in a statement.
Peters, in a statement, said the bill will “update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security.”
The committee will consider the FISMA bill and Cyber Incident Reporting Act of 2021 on Wednesday.
The FISMA bill would also require federal civilian agencies to report major cyber incidents to Congress, have the director of the Office of Management and Budget (OMB) issue guidance on security mobile devices and applications for all agencies, and to issue guidance to agencies on the use of penetration testing on their systems, have CISA establish a process to assess the performance of this testing, require CISA to create a program for “ongoing, hypothesis-driven threat hunting services” on agency networks, and require CISA to assign at least one of its employees to be a CISA adviser to the chief information officers of each agency.