FISMA reform bill would require agencies to notify Congress of cyber breaches within 5 days

The legislative proposals would introduce strict new reporting requirements for senior government IT leaders.
WASHINGTON, DC - MAY 11: Chairman Senator Gary Peters (D-MI) (R) speaks with Ranking Member Senator Rob Portman (R-OH) during a Senate Homeland Security and Governmental Affairs Committee hearing. (Photo by Sarah Silbiger-Pool/Getty Images)

A new bill to reform the Federal Information Security Modernization Act (FISMA) would require leaders of U.S. government agencies to notify Congress of cyber breaches within five days of an incident occurring.

The proposal is part of wide-ranging proposed legislation issued Monday by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio.

Other notable measures in the draft bill include the requirement that agency leaders carry out an initial analysis of an incident — and where necessary inform citizens that their data has been compromised — within 30 days. It mandates also that federal IT leaders provide a briefing on the threat within seven days.

Action to reform FISMA comes amid pressure from the White House for departments to improve their cybersecurity systems and to move towards a cloud-based zero-trust architecture. In recent weeks, government technology sources speaking to FedScoop have described FISMA reform as key to clarifying the degree of urgency with which senior leaders at government departments must address cyber concerns, as well as the chain of command when a breach occurs.


Lawmakers through the draft legislation also are seeking to impose new reporting responsibilities for federal government technology contractors, which would force them to notify agencies faster when a breach occurs. The reform would also introduce new cybersecurity training requirements for staff and enhance requirements over how cyber incidents are logged.

In addition, Cybersecurity and Infrastructure Security Agency features heavily in the reform proposals. If enacted, the bill would boost the enforcement powers of the agency’s director and require the agency to establish new quantitative cyber metrics. Director Jen Easterly, along with the director of the Office of Management and Budget, must also come up with a new definition of what constitutes a major cyber incident, under the draft legislation.

Commenting on the proposals, Sen. Peters said: “This bipartisan bill will help secure our federal networks, update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security.”

Portman added: “This bipartisan bill provides the security the American people deserve and the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.”

This story was featured in FedScoop Special Report: Modernizing Federal Cybersecurity - A FedScoop Special Report

Latest Podcasts