Number:  113-34                                      
Date:  December 15, 2014

Congress Passes S. 2521,
the Federal Information Security Modernization Act of 2014

On December 10, 2014, the House passed S. 2521, the Federal Information Security Modernization Act of 2014.  The bill passed the Senate with an amendment by voice vote on December 8, 2014.  S. 2521 now moves to the President for his action.

The legislation would amend the Federal Information Security Management Act of 2002 (FISMA), the law that oversees the security of the Federal government’s information technology systems. The new bill would codify and clarify the existing roles and responsibilities of the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) for information security. It would also update guidelines that Federal agencies should follow in the event that there is an unauthorized release of data.

S. 2521 includes the following provisions of interest to SSA:

  • Would require each agency head to provide information security protections that commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by the agency and all information systems.
  • Would require that each agency’s information security management be integrated with agency strategic and operational plans and budget processes; and would require the agency head to ensure that agency managers’ provide information security that supports the operations and assets under their control.
  • Would require each agency Chief Information Officer (CIO) or senior official who reports to the CIO (designated as the Chief Information Security Officer) to oversee the development and maintenance of security operations that continuously monitor and evaluate risks and threats. 
  • Would require each agency to develop, document, and implement an agency-wide information security program with plans to include procedures to ensure continuity of operations for information systems.  Plans would also include procedures for responding to security incidents, and require each agency to notify Congress of a major incident within seven days of the incident.
  • Would require each agency to submit an annual report to OMB, DHS, the Government Accountability Office, and Congress on the capability and effectiveness of the agency’s information security policies, procedures, and practices.
  • Would require OMB to establish procedures for agencies to follow in the event of a data breach, including requirements that agencies notify Congress no later than 30 days – and affected individuals as expeditiously as practicable – after being made aware of the breach.
  • Would require OMB to revise Circular A-130 (Management of Federal Information Resources), to eliminate inefficient and wasteful reporting.
  • Would be effective upon enactment.