A bill introduced on Dec. 11 by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, would require Federal agencies to report to Congress within seven days about any cyber attacks they have faced that would cause significant harm to national security or agency operations.
The bill, titled the “Federal System Incident Response Act,” is especially timely in light of the SolarWinds hack which began to come to light through alerts from the Cybersecurity and Infrastructure Security Agency (CISA) just a few days after the senators introduced the bill.
According to the text of the 29-page bill, the legislation would update the Federal Information Security Act (FISMA) to achieve its aims.
“Our Federal information systems are subjected to persistent cyber-attacks that pose a significant national security threat, and our government is not currently prepared to effectively respond to them. I am proud to lead this bipartisan bill that will modernize our government’s cyber defenses and increase transparency in how they respond in order to better protect the American people,” Sen. Peters said in a release.
The bill would require Federal agencies to give Congress an incident report within seven days of any event that endangers U.S. national or economic security, is expected to affect agencies’ operations, or in which any personal information is disclosed.
Agencies would be required to brief a raft of congressional committees about the incidents, including Senate committees on Homeland Security and Governmental Affairs and Commerce, Science, and Transportation, the House committees on Oversight and Reform, Homeland Security, and Science, Space, and Technology. Both House and Senate Appropriations committees would also have to be notified.
“The Federal government has a responsibility to secure the information of all Americans. As bad actors continue to exploit weaknesses in Federal systems, it’s critical that the Federal government is able to quickly respond to any incident and better protect the information in its care,” Sen. Portman said in the same release.
The bill also would instruct the Office of Management and Budget to define what constitutes a “major incident,” and provide a related update to the Senate Homeland Security and House Oversight and Reform committees.
The legislation, its sponsors said, also would require CISA to produce an annual report on Federal cyber incidents “to help Federal and private sector cybersecurity professionals understand the most common and dangerous threats” in order to help improve cyber defenses.