Late last month, President Obama signed a bill that, among other things, continued to establish the role and authority of the U.S. Department of Homeland Security (DHS) in the nation’s efforts to protect its information systems.
The bill – Federal Information Security Modernization Act of 2014 (FISMA 2014) – updated and modernized the FISMA Act of 2002. The underlying purpose of the 2002 act was to provide a framework for developing and maintaining minimum security controls to protect federal information systems. It tasked the director of the Office of Management and Budget (OMB) with overseeing the development and implementation of agency information security policies and practices. FISMA 2014 authorizes the DHS to actively assist the OMB in that task.
According to The National Law Review, the DHS secretary will be responsible for coordinating information security efforts government-wide, providing operational and technical assistance to agencies, and consulting with the National Institute of Standards and Technology on related standards and guidelines. Furthermore, DHS will oversee agencies’ implementation of “binding directives” developed by the OMB.
FISMA 2014 also modified the scope of “reportable information” to include specific information about threats, security incidents, and compliance with security requirements. In addition, it directed the OMB to clarify what constitutes a “major incident” in the context of agency reporting requirements.
The new law also updated the cyber breach notification requirements. The OMB director must ensure that agency policies and guidelines are periodically updated and that agencies notify Congress within 30 days of discovering a breach. That notification must include details such as the number of individuals affected, the likely risk of harm to those individuals, and the date by which the individuals will be notified.