“The Senate Homeland Security and Governmental Affairs Committee approved legislation that seeks to overhaul how federal agencies and government contractors report on cyberattacks and guidance for defending against them.
The committee on Wednesday cleared the Federal Information Security Modernization Act of 2021 along with a more controversial bill mandating private-sector reports of cyber incidents and ransomware payments…”
“The legislation specifically directs the OMB director to include in that definition, ‘any incident the head of the agency determines is likely to have an impact on the national security, homeland security, or economic security of the United States.’ The current framework for reporting cyber incidents, both in the public and private sectors, is centered more on the exposure of a certain amount of personally identifiable information, which has not been the main feature of SolarWinds or other recent hacks such as the ransomware attack on Colonial Pipeline. Agencies would have to report to congress and administration leaders like the directors of CISA and OMB on incidents they determine to be “major” within 72 hours, with subsequent reports on how they happened and other information. OMB would be required to provide guidance on deconflicting issues that emerge with contractors.
The new FISMA would also require the directors of OMB and CISA along with the National Cyber Director and others from the National Institute of Standards and Technology to create and implement a model for agencies to do risk-based cyber budgeting, assign a cyber advisor from CISA to each agency’s chief information officer, extend the Federal Acquisition Security Council through the end of 2026, and establish a pilot program where CISA offers agencies a security operations center as a service…” Read the full article here.
Source: Senate Committee Passes Major FISMA Changes—Including a New Definition of ‘Major Incident’ – By Mariam Baksh, October 6, 2021. Nextgov.
