Bill Overview
Title: Federal Information Security Modernization Act of 2022
Description: This bill addresses federal information security management, notification and remediation of cybersecurity incidents, and the roles of the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA). CISA must perform, on an ongoing and continuous basis, assessments of federal risk posture. The bill requires evaluation by each agency of whether additional cybersecurity procedures are appropriate at least once every three years. An agency, as expeditiously as practicable and without unreasonable delay, and within 45 days after it has a reasonable basis to conclude that a breach has occurred, must (1) determine whether notice to any individual potentially affected by the breach is appropriate based on a risk assessment; and (2) as appropriate, provide written notice to each individual potentially affected. Notification may be delayed under specified circumstances. Each agency must provide any information relating to a major incident to CISA, the OMB, the Office of the National Cyber Director, the agency's office of inspector general, the Government Accountability Office, and Congress. An agency's contractors and grant recipients must notify the agency of an incident involving federal information within a specified time frame. Each agency shall develop training for individuals at the agency with access to federal information or information systems on how to identify and respond to an incident. CISA must establish a program to provide ongoing, hypothesis-driven threat-hunting services on the network of each agency. The bill establishes specified pilot programs to enhance federal cybersecurity.
Sponsors: Rep. Maloney, Carolyn B. [D-NY-12]
Target Audience
Population: People impacted by cybersecurity policies in federal agencies
Estimated Size: 4000000
- Federal employees and contractors are the primary individuals directly impacted by federal cybersecurity measures due to their access and interaction with systems handling federal information.
- Individuals who have personal data stored within federal agency systems could be indirectly impacted, especially in the event of a data breach.
- Citizens relying on federal services, which may be disrupted or impacted by cybersecurity incidents, would also be affected.
- Cybersecurity professionals involved in policy and protection mechanisms would be involved in implementing the bill's requirements.
Reasoning
- The primary target population for this policy involves federal employees and contractors who must implement and adhere to the enhanced cybersecurity standards. These individuals directly interface with federal systems, meaning their workflow and processes may change due to the policy.
- Federal agencies handling sensitive personal information, such as Social Security or tax records, could impact citizens who would potentially benefit from reduced data breaches or, conversely, face delays if breaches occur and response times are impacted.
- The budget of $500 million in the first year and $6.27 billion over ten years outlines the scale of operations and technological enhancements needed, which might include training, infrastructure, threat assessment, and personnel for ongoing cybersecurity monitoring.
- Given the population impacted is estimated at 4 million direct individuals (federal employees and contractors), and potentially more indirectly (citizens interacting with these services), variations in Cantril wellbeing scores will depend heavily on the direct responsibilities and the perceived effectiveness of the policy.
Simulated Interviews
Federal IT Manager (Washington, D.C.)
Age: 35 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 20.0 years
Commonness: 5/20
Statement of Opinion:
- This policy feels necessary but increases my workload significantly, especially with continuous assessments.
- I'm anxious about potential breaches and the pressures it puts on me and my team.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 5 |
| Year 2 | 6 | 5 |
| Year 3 | 6 | 5 |
| Year 5 | 7 | 6 |
| Year 10 | 7 | 6 |
| Year 20 | 8 | 7 |
Private Citizen (New York, NY)
Age: 50 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 8/20
Statement of Opinion:
- I don't notice any impact yet, but I hope my information is more secure.
- I do worry about it leading to longer wait times for federal services.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 7 |
| Year 3 | 7 | 7 |
| Year 5 | 7 | 7 |
| Year 10 | 8 | 7 |
| Year 20 | 8 | 7 |
Cybersecurity Analyst (San Francisco, CA)
Age: 29 | Gender: female
Wellbeing Before Policy: 5
Duration of Impact: 10.0 years
Commonness: 6/20
Statement of Opinion:
- This policy increases demand for my skills but also adds a lot of pressure because stakes are higher.
- I'm excited to be part of important work though.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 8 | 7 |
| Year 20 | 8 | 7 |
Federal Contractor (Dallas, TX)
Age: 41 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 7/20
Statement of Opinion:
- It means more training and policy shifts for us, which can be frustrating at times.
- Overall, I think it's beneficial for security and my career prospects.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 7 | 7 |
| Year 20 | 8 | 7 |
Retired Government Employee (Chicago, IL)
Age: 62 | Gender: male
Wellbeing Before Policy: 8
Duration of Impact: 2.0 years
Commonness: 9/20
Statement of Opinion:
- I'm not directly affected anymore, but I still care about how secure our data is.
- I'm glad something proactive is being done.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 8 |
| Year 2 | 8 | 8 |
| Year 3 | 8 | 8 |
| Year 5 | 8 | 8 |
| Year 10 | 8 | 8 |
| Year 20 | 8 | 8 |
Social Security Administration Employee (Los Angeles, CA)
Age: 27 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 15.0 years
Commonness: 8/20
Statement of Opinion:
- We're seeing more training sessions now, which I think is helpful.
- Still, there is always a bit of worry about data breaches despite protocols.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 8 | 6 |
| Year 10 | 8 | 7 |
| Year 20 | 8 | 7 |
Federal Policy Advisor (Boston, MA)
Age: 38 | Gender: male
Wellbeing Before Policy: 7
Duration of Impact: 10.0 years
Commonness: 4/20
Statement of Opinion:
- It's a challenging but rewarding step in federal cybersecurity.
- Requires constant evaluation on my part, which can be stressful but also engaging.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 7 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 8 |
| Year 20 | 8 | 8 |
Data Scientist (Seattle, WA)
Age: 30 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 8.0 years
Commonness: 5/20
Statement of Opinion:
- The policy is precise and offers consistency in our tasks.
- It's a bit overwhelming initially but provides long-term stability and direction for our work.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 7 |
| Year 20 | 9 | 8 |
Federal Benefits Consultant (Atlanta, GA)
Age: 55 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 5.0 years
Commonness: 7/20
Statement of Opinion:
- More stringent data policies give me confidence our systems are reliable.
- Sometimes these updates create temporary delays and more questions from clients.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 8 |
| Year 5 | 8 | 8 |
| Year 10 | 9 | 8 |
| Year 20 | 9 | 8 |
Intern at Cybersecurity Agency (St. Louis, MO)
Age: 22 | Gender: female
Wellbeing Before Policy: 5
Duration of Impact: 12.0 years
Commonness: 4/20
Statement of Opinion:
- This brings new opportunities to my career path, making cybersecurity more relevant.
- I'm learning a lot, though it can be intense to keep up.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 7 |
| Year 20 | 9 | 8 |
Cost Estimates
Year 1: $500000000 (Low: $400000000, High: $600000000)
Year 2: $525000000 (Low: $420000000, High: $630000000)
Year 3: $551250000 (Low: $441000000, High: $661500000)
Year 5: $605040625 (Low: $484032500, High: $726048750)
Year 10: $766584948 (Low: $613267958, High: $920601938)
Year 100: $3157918618702 (Low: $2526044599630, High: $3789792637773)
Key Considerations
- The need for skilled personnel to implement, manage, and maintain new cybersecurity measures across federal agencies.
- Integration and coordination among various federal agencies, contractors, and cybersecurity bodies to ensure comprehensive implementation.
- Long-term technological investments necessary to keep pace with evolving cybersecurity threats.
- The capacity to swiftly notify affected individuals and manage associated reputational and operational impacts.