This bill mandates that FEMA report on its progress in mitigating cybersecurity risks that could impede agency operations, in coordination with CISA.
Bennie Thompson
Representative
MS-2
The FEMA Cybersecurity Improvement Act amends the Homeland Security Act to explicitly require the Department of Homeland Security, particularly FEMA, to focus on mitigating cybersecurity risks that could impede agency operations. The bill mandates that the FEMA Administrator submit a progress report to Congress within one year detailing these cybersecurity improvements, developed in coordination with CISA.
FEMA Must Now Explicitly Prioritize Cyber Risk: Progress Report Due to Congress Within One Year
The newly proposed FEMA Cybersecurity Improvement Act is pretty straightforward: it updates the rulebook for the Department of Homeland Security (DHS) to make sure FEMA’s digital defenses are up to the task. Essentially, it’s a legislative reminder that when a hurricane hits or a disaster strikes, FEMA needs to be able to actually process claims and coordinate relief without getting shut down by a bad actor online. The bill explicitly adds “mitigating cybersecurity risks that could impede Agency operations” to FEMA’s core duties under Section 523(a) of the Homeland Security Act of 2002.
Why Your Emergency Relief Depends on a Strong Firewall
For most people, FEMA is the agency that shows up after the worst day of your life. Whether you’re waiting on emergency housing, disaster loans, or just coordinating local resources, that response relies heavily on digital systems. This bill recognizes that a cyberattack is just as much a threat to effective disaster relief as a collapsed bridge. By making cybersecurity an explicit, mandated priority, the law ensures that FEMA isn't just reacting to physical disasters but is also proactively hardening its systems against digital ones. Think of it this way: if a hacker locks down FEMA’s database, it’s not just a tech problem—it’s a delay in getting your family the support they need when your house is flooded.
The Accountability Check-in
This legislation doesn't just issue a mandate; it requires homework. Within one year of the bill becoming law, the FEMA Administrator must deliver a detailed progress report to Congress. This report has to spell out exactly what steps FEMA has taken to tackle those operational cybersecurity risks. Crucially, FEMA must coordinate this report with the Cybersecurity and Infrastructure Security Agency (CISA). This CISA partnership is key because it forces inter-agency collaboration, ensuring FEMA uses the best available expertise to secure its systems. For the average taxpayer, this reporting requirement means Congress gets a mandatory check-in on how FEMA is spending time and money to protect critical systems, adding a layer of accountability that was previously less defined in statute.
Cleaning Up the Legislative Attic
While the focus is on cyber resilience, the bill also does some necessary housekeeping. It removes some outdated language from the Homeland Security Act that referred to the law’s status before this new bill was signed, and it renumbers several sections. These administrative changes might seem minor, but they clean up the statute, making it clearer for agency staff and future lawmakers. Overall, this Act is a procedural upgrade designed to ensure that FEMA’s digital infrastructure is as resilient as the communities it serves, making disaster response potentially faster and more reliable when it matters most.