The new guidelines include a requirement for an agency to report a "major incident" within one hour of the event's occurrence.

In early December, the Office of Management and Budget ("OMB") issued the "Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy Management Requirements" for federal agencies (the "Guidance").

The annual Guidance is required under the Federal Information Security Modernization Act of 2014 ("FISMA"), which requires that cybersecurity incident reporting guidelines be in place for federal agencies.

While not a direct regulation on private entities, the Guidance reflects the federal government's growing focus on cybersecurity and data protection. For example, a number of federal agencies recently implemented new breach notification rules on banking organizations and service providers. The Department of Justice ("DOJ") also recently enacted a new initiative to enforce cybersecurity requirements and data protection standards on government contractors.

The federal government has faced a growing number of threats in the past year, including continued fallout from the SolarWinds hack and a separate hack attributed to China that both compromised a number of federal agencies.

In line with the heightened federal government focus on cybersecurity in the face of increased nefarious activity, the Guidance implements new data protection principles to monitor and mitigate threats and puts in place new breach notification requirements.

It is important to note that the Guidance will likely have an indirect effect on private entities. The Guidance does not directly apply to private entities, however, any private entity that engages with the federal government as a government contractor will likely encounter these requirements as contractual provisions. This is because federal agencies that the Guidance does directly apply to will likely trickle the requirements down to those private entities that provide services to the federal government.

Data Protection Principles

The Guidance is based on four principles, which the OMB identified in their memorandum.

First, agencies are directed to adopt "zero trust architecture," meaning policies and procedures that assume technology will fail or assume bad actors are attempting to access the systems. For example, agencies will need to utilize phishing-resistant multi-factor authentication. Further, agencies will keep inventories of every device operating or authorized for government use and will encrypt all domain requests and HTTP traffic.

A zero-trust architecture also includes consistent, rigorous testing of all technology systems, even if they are not necessarily connected to the internet.

Second, agencies will be moving away from self-attestation testing (testing that is only verified by the party being tested) towards more thorough and scrupulous testing. These measures will likely include manual and automated penetration testing.

Third, assessments under FISMA will move toward a risk-based analysis. This is in line with what privacy and data protection laws require of private companies-weighing the risks involved with the data processing and the sensitivity of the information, against the benefit of processing the data and the controls in place.

The OMB hopes this change will focus the federal government's mitigation strategy on the highest of cybersecurity threats and risks that the federal government faces.

Finally, the Guidance will push agencies to utilize automation in their reporting and incident management. Specifically, the Guidance directs agencies to report data in an automated and machine-readable manner.

Incident Response

Importantly, the Guidance puts in place strict security incident reporting requirements, signifying the Guidance's biggest shift.

An agency must report a major incident to the Department of Homeland Security's Cybersecurity Infrastructure Security Agency ("CISA") and the OMB within one hour of the agency determining that such an incident has occurred. Even if the agency originally reported the incident as a non-major incident, once it is determined to rise to the level "major," the agency must make another report to CISA and the OMB.

Under the Guidance, a "major incident" includes: (1) any incident that is likely to demonstrably harm national security interests, foreign relations, the economy, public confident, civil liberties, or public health; or (2) a breach that involves personally identifiable information that is misused, deleted, or otherwise compromised, is likely to demonstrably harm national security interests, foreign relations, the economy, public confident, civil liberties, or public health.

An incident is automatically considered major, however, if there is unauthorized modification of, deletion of, exfiltration of, or access to the personally identifiable information of 100,000 or more individuals. Therefore, such a breach needs to be reported to CISA and the OMB within one hour, regardless of the agency's independent assessment.

If a major incident occurs, an agency will also need to notify their appropriate congressional committees and the Office of the Inspector General within seven days of the incident occurring.

Effect on Private Entities

While the Guidance is not directly applicable in scope to private entities, it further represents the federal government's heightened focus on cybersecurity and data breach response.

If the federal agencies are required to meet certain cybersecurity requirements, those federal agencies will likely flow those requirements down to government contractors as well.

Private entities that work with or for federal agencies as government contractors or that receive federal funding should expect to see heightened contractual cybersecurity requirements that are in line with the Guidance.

As the federal government heightens their focus on cybersecurity and data breach response, the Benesch Data Protection and Privacy team is committed to staying at the forefront of knowledge and experience to assist our clients in compliance efforts. We are available to assist you with any compliance needs.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.