HR4579-119

What This Bill Does

This bill updates federal law to explicitly require the Federal Emergency Management Agency (FEMA) to address cybersecurity threats that could disrupt its emergency response operations. It also requires FEMA to report to Congress within one year on its progress in strengthening its cybersecurity defenses.

Who Benefits and How

Cybersecurity vendors and federal contractors benefit most directly through new opportunities to provide cybersecurity services, software, and hardware to FEMA. Defense contractors and cybersecurity consulting firms specializing in government work stand to gain contracts worth millions as FEMA works to meet its new cybersecurity mandate. State and local emergency management agencies also benefit indirectly from a more secure federal emergency response system, reducing risks during natural disasters and crises.

Who Bears the Burden and How

FEMA and its leadership face new compliance and reporting obligations, requiring staff time, resources, and budget to implement cybersecurity improvements and prepare congressional reports. The Cybersecurity and Infrastructure Security Agency (CISA) takes on additional consultative responsibilities working with FEMA. Ultimately, federal taxpayers will bear the costs of FEMA's cybersecurity upgrades, though these costs are not specified in the bill.

Key Provisions

• Adds "mitigating cybersecurity risks" as an official statutory responsibility of FEMA under the Homeland Security Act of 2002
• Defines cybersecurity risks as those that could impede FEMA's operational capabilities during emergencies
• Requires FEMA's Administrator to work with CISA's Director on cybersecurity improvements
• Mandates a progress report to three congressional committees (Homeland Security, Transportation and Infrastructure, and Governmental Affairs) by one year after the bill becomes law
• Removes outdated language that limited FEMA's responsibilities to those existing "as of the day before enactment"