Bill Overview
Title: Federal Information Security Modernization Act of 2021
Description: This bill addresses federal information security management, notification and remediation of cybersecurity incidents. For example, the bill requires (1) the Cybersecurity and Infrastructure Security Agency to perform ongoing and continuous assessments of federal information security risk posture; and (2) federal agencies to take certain actions in response to information security breaches, such as notifying affected individuals.
Sponsors: Sen. Peters, Gary C. [D-MI]
Target Audience
Population: People potentially relying on or benefiting from US federal information systems
Estimated Size: 331000000
- The bill focuses on federal information security which impacts federal employees who handle sensitive information.
- It addresses the security of federal information systems which can indirectly affect anyone relying on federal services that handle their personal data.
- Given the role of the CISA, this bill has a broader implication for federal agencies' cybersecurity posture, indirectly protecting the wellbeing of all US citizens whose data might be managed by these agencies.
Reasoning
- Federal employees who handle sensitive data are primary direct beneficiaries of this policy.
- Indirect beneficiaries include all citizens who rely on federal services which use their personal data.
- To understand the policy's impact, interviews include federal employees, citizens experiencing data breaches, and general citizens acknowledging potential benefits.
- A minimal budget compared to the GDP and population indicates more nuanced impacts on wellbeing than significant life changes.
- Sampled perspectives will include no impact scenarios and varying levels of benefit.
Simulated Interviews
Federal IT Security Analyst (Washington, D.C.)
Age: 45 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 20.0 years
Commonness: 4/20
Statement of Opinion:
- The new measures are essential as they reinforce continuous security assessments.
- Improved incident response is crucial for protecting data integrity and public trust.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 9 | 7 |
| Year 20 | 9 | 7 |
Software Developer (San Francisco, CA)
Age: 30 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 3/20
Statement of Opinion:
- The policy increases accountability among federal contractors.
- I feel more secure knowing there is a standard for breach notifications.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 8 | 6 |
| Year 20 | 8 | 6 |
Retired (Miami, FL)
Age: 65 | Gender: female
Wellbeing Before Policy: 5
Duration of Impact: 5.0 years
Commonness: 10/20
Statement of Opinion:
- It's good to know my personal information is being better protected.
- However, I don't expect my day-to-day life to change much.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 5 |
| Year 2 | 6 | 5 |
| Year 3 | 6 | 5 |
| Year 5 | 6 | 5 |
| Year 10 | 5 | 5 |
| Year 20 | 5 | 5 |
College Student (New York, NY)
Age: 20 | Gender: other
Wellbeing Before Policy: 6
Duration of Impact: 5.0 years
Commonness: 11/20
Statement of Opinion:
- I support improved federal security but lack understanding of specifics and impacts.
- Data breaches feel less concerning knowing there's a stronger policy in place.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 6 |
| Year 2 | 6 | 6 |
| Year 3 | 6 | 6 |
| Year 5 | 6 | 6 |
| Year 10 | 6 | 6 |
| Year 20 | 6 | 6 |
Small Business Owner (Chicago, IL)
Age: 50 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 0.0 years
Commonness: 6/20
Statement of Opinion:
- Federal security improvements are reassuring, though unlikely to affect my business directly.
- Future considerations of security are easier knowing federal standards are improving.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 5 |
| Year 2 | 5 | 5 |
| Year 3 | 5 | 5 |
| Year 5 | 5 | 5 |
| Year 10 | 5 | 5 |
| Year 20 | 5 | 5 |
Federal Agency Manager (Dallas, TX)
Age: 55 | Gender: female
Wellbeing Before Policy: 7
Duration of Impact: 15.0 years
Commonness: 3/20
Statement of Opinion:
- The policy upgrades our defenses and improves our response to breaches.
- Given my role, I feel reassured knowing these frameworks are mandated.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 8 | 7 |
| Year 2 | 8 | 7 |
| Year 3 | 8 | 7 |
| Year 5 | 8 | 7 |
| Year 10 | 8 | 7 |
| Year 20 | 8 | 7 |
Journalist (Denver, CO)
Age: 40 | Gender: male
Wellbeing Before Policy: 6
Duration of Impact: 20.0 years
Commonness: 5/20
Statement of Opinion:
- The policy ensures there are consistent standards across federal security efforts.
- I appreciate the transparency and structured responses to data breaches.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 7 | 6 |
| Year 20 | 7 | 6 |
Data Scientist (Los Angeles, CA)
Age: 34 | Gender: female
Wellbeing Before Policy: 6
Duration of Impact: 10.0 years
Commonness: 8/20
Statement of Opinion:
- I'm pleased to see federal enhancement of cybersecurity measures.
- Protecting data privacy at a federal level should set an example for other organizations.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 7 | 6 |
| Year 2 | 7 | 6 |
| Year 3 | 7 | 6 |
| Year 5 | 7 | 6 |
| Year 10 | 7 | 6 |
| Year 20 | 7 | 6 |
Cybersecurity Intern (Phoenix, AZ)
Age: 27 | Gender: male
Wellbeing Before Policy: 5
Duration of Impact: 4.0 years
Commonness: 9/20
Statement of Opinion:
- The policy offers a learning and career opportunity as it demands skilled personnel.
- It's somewhat motivating knowing the field I'm entering is being prioritized.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 6 | 5 |
| Year 2 | 6 | 5 |
| Year 3 | 6 | 5 |
| Year 5 | 6 | 5 |
| Year 10 | 6 | 5 |
| Year 20 | 6 | 5 |
Retired Teacher (Kansas City, MO)
Age: 72 | Gender: female
Wellbeing Before Policy: 4
Duration of Impact: 3.0 years
Commonness: 7/20
Statement of Opinion:
- I hope this means there's less risk of my information being compromised.
- It's comforting that protections for my federal data are improving.
Wellbeing Over Time (With vs Without Policy)
| Year | With Policy | Without Policy |
|---|---|---|
| Year 1 | 5 | 4 |
| Year 2 | 5 | 4 |
| Year 3 | 5 | 4 |
| Year 5 | 5 | 4 |
| Year 10 | 5 | 4 |
| Year 20 | 5 | 4 |
Cost Estimates
Year 1: $300000000 (Low: $200000000, High: $450000000)
Year 2: $310000000 (Low: $210000000, High: $470000000)
Year 3: $320000000 (Low: $220000000, High: $490000000)
Year 5: $340000000 (Low: $230000000, High: $510000000)
Year 10: $380000000 (Low: $260000000, High: $550000000)
Year 100: $500000000 (Low: $300000000, High: $750000000)
Key Considerations
- The policy's success heavily relies on the preparedness and adaptability of federal agencies.
- Initial investment and ramp-up costs could be significant due to the need for new cybersecurity infrastructure.
- Potential technology gaps and implementation slow-downs could affect cost efficiency.
- Increased cybersecurity may deter cyber threats, but evolving threat landscapes could require continuous policy adjustment.