Agencies will be required to report more detailed information on all major cyber incidents annually under the recently enacted Federal Information Security Modernization Act of 2014.
S-2521 requires agencies to notify Congress of major security incidents within seven days after there is a reasonable basis to conclude that a major (to be defined by OMB) incident has occurred.
Agencies must submit an annual report on major incidents to OMB, DHS, Congress and GAO including information on threats and threat actors, vulnerabilities, and impacts; risk assessments of affected systems before, and the status of compliance of the systems at the time of, major incidents; detection, response, and remediation actions; the total number of incidents; and a description of the number of individuals affected by, and the information exposed by, major incidents involving a breach of personally identifiable information. The message is clear – if this information is missing or incomplete someone is going to have a rough day testifying before Congress.
The law also requires OMB to ensure that data breach notification policies require agencies, after discovering an unauthorized acquisition or access, to notify Congress within 30 days, and affected individuals as expeditiously as practicable.
Some agencies have chosen in the past to withhold disclosure of a breach, arguing that doing so could jeopardize remediation efforts, for example, but the FISMA modernization bill establishes a legal requirement to keep Congress in the loop.