The Senate unanimously passed legislation Tuesday night that would require critical infrastructure entities to report to the federal government when they are hacked, update the government’s information security hierarchy and codify the government’s primary cloud security certification program.
The Strengthening American Cybersecurity Act is actually three separate bills jammed into one legislative vehicle.
One, the Cyber Incident Reporting Act, would require critical infrastructure owners to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours when they are hacked or suffer a significant cyber incident. Another modernizes the Federal Information Security Management Act, the primary law governing the cybersecurity of civilian agencies, and incorporates newer entities like CISA and the national cyber director into the federal reporting chain. A third is designed to codify FedRAMP, the civilian government’s cloud security certification program, into law and better account for vulnerabilities in the software supply chains of cloud service providers.
A Senate aide told SC Media that there are still outstanding differences between the House and Senate regarding the FISMA overhaul that will need to be worked out (for example, the House version codifies the federal chief information security officer role while the Senate version does not).
“At a time when we are facing significant threats of Russian cyberattacks against our institutions and our allies, it’s more important than ever that the government have an idea of what those threats are," said Sen. Mark Warner, D-Va. "I am glad the Senate has passed our bipartisan cyber incident reporting bill, and I look forward to working with my colleagues in the House to get a final version of this legislation to the president’s desk as soon as possible.”
Requiring critical infrastructure — entities that are largely private owned but whose operations are essential to the functioning of American society — to report breaches and other serious incidents has been one of the highest cybersecurity priorities in Congress over the past year as food producers, oil and gas pipelines, manufacturers, state and local governments and schools have come under relentless attack from ransomware groups, while defense contractors and other sectors have had their systems breached and purloined of sensitive trade secrets by foreign intelligence agencies and state-backed hacking groups.
It will give CISA unprecedented insight into how many companies deemed crucial to the delivery of services and the global supply chain are affected by the problem, and infuse discussions about federal resource allocation and technical assistance with more granular data.
Sen. Gary Peters, one of the chief sponsors of the bill who chairs the Homeland Security Committee, has said passing all three bills was a major priority for his committee, particularly in light of the potential for Russian-directed cyberattacks on American soil in response to economic sanctions from the West.
"We believe time is of the essence and particularly given the potential threat of Russian activity as a result of what’s happening in the Ukraine, that it's critically important for our cybersecurity agencies to have every tool in their toolbox," Peters told SC Media earlier this month.