The Senate passed two cyber-related bills Wednesday, one that would train feds who work in acquisition on how to manage cybersecurity risk in the supply chain, and another that would provide new federal resources to state and local governments under siege from ransomware actors and cyber criminals.
The Supply Chain Security Training Act would establish a training program within the General Services Administration for federal procurement employees that would “prepare such personnel to perform supply chain risk management activities and identify and mitigate supply chain security risks that arise throughout the acquisition lifecycle, including for the acquisition of information and communications technology.”
“Federal employees purchasing software and equipment for the government must be able to recognize vulnerabilities in these products that could allow hackers to breach federal systems and disrupt our supply chains,” Sen. Gary Peters, D-Mich., said in a statement. “This bipartisan legislation will help federal employees identify potential threats to federal cybersecurity, and stop foreign adversaries and cybercriminals as they attempt to compromise our national security.”
There are few other specifics outlined in the bill regarding the structure and content of such trainings. The GSA administrator would be charged with setting up a program within six months of the bill’s passage into law, and must coordinate with the Federal Acquisition Security Council, the secretary of Homeland Security, the director of the Office of Personnel Management and consult the directors of national intelligence and the National Institute for Standards and Technology while developing the program.
The State and Local Government Cybersecurity Act would amend the 2002 Homeland Security Act to allow the federal government — through the National Cybersecurity and Integrations Center at DHS — to conduct cybersecurity exercises with state and local entities and provide them access to technical tools and other assistance, like setting up information sharing programs. It would also clear the way for federal officials to coordinate with state, local, tribal and territorial entities to set up vulnerability disclosure programs, information sharing programs and improvements to election security infrastructure.
The legislation comes at a time when state and local governments, schools and law enforcement agencies across the country are facing a wave of ransomware attacks that have crippled IT systems, disrupted services and created long-term clean up and recovery issues.
“As we’ve seen from the many recent cyberattacks, hackers with malicious intent can and do attack state and local cyber infrastructure consistently. Sometimes, state and local governments need some additional help or access to expertise to address these threats,” Sen. Rob Portman, R-Ohio, said in a statement.
Both bills were introduced by Peters, who chairs the Senate Homeland Security and Governmental Affairs Committee. The State and Local Cybersecurity Government Act was also cosponsored by Portman and Sen. Jacky Rosen, D-Nev., while Sens. Maggie Hassan, D-N.H., and Ron Johnson, R-Wis., also cosponsored the Supply Chain Security Training Act.
Both bills now head to the House, where companion versions have been introduced by Rep. Joe Neguse, D-Colo., but have yet to pass through relevant committees or receive a floor vote.