S-2902 : Still Just a Bill

Federal Information Security Modernization Act of 2021

This bill addresses federal information security management, notification and remediation of cybersecurity incidents, and the role of the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA).

The OMB and CISA must perform, on an ongoing and continuous basis, assessments of federal risk posture. The bill requires annual evaluation by each agency of whether additional cybersecurity procedures are appropriate.

An agency, within 30 days of concluding that a major incident has occurred due to a high risk exposure of personal identifiable information, must provide notification to the last known home mailing address of each individual whom the incident may have impacted. Notification may be delayed under specified circumstances.

Each agency must provide any information relating to an incident to CISA, the OMB, the Office of the National Cyber Director, the Government Accountability Office, and Congress. An agency's contractors and grant recipients must immediately notify the agency of an incident involving federal information.

Each agency shall develop training for individuals at the agency with access to federal information or information systems on how to identify and respond to an incident.

The OMB and CISA must (1) develop and promulgate guidance on the definition of major incident, and (2) develop a framework for prioritizing federal penetration testing resources among agencies. CISA must establish a program to provide ongoing, hypothesis-driven threat-hunting services on the network of each agency.

The bill establishes specified pilot programs to enhance federal cybersecurity.