Government Regulations, Governance, Risk and Compliance, Supply chain

Senate passes cyber bills to address supply chain security, aid state and local governments

People visit Mosaic Shopping Center Mall on Oct. 30, 2021, in Fairfax Va. The county is one of many state and local entities that were hit with ransomware attacks in 2021, and the Senate has passed new legislation to open up new federal resources and improve coordination between the federal government and SLTT entities. (Photo by Tasos Katopodis/Ge...

The Senate passed two cyber-related bills Wednesday, one that would train feds who work in acquisition on how to manage cybersecurity risk in the supply chain, and another that would provide new federal resources to state and local governments under siege from ransomware actors and cyber criminals.

The Supply Chain Security Training Act would establish a training program within the General Services Administration for federal procurement employees that would “prepare such personnel to perform supply chain risk management activities and identify and mitigate supply chain security risks that arise throughout the acquisition lifecycle, including for the acquisition of information and communications technology.”

“Federal employees purchasing software and equipment for the government must be able to recognize vulnerabilities in these products that could allow hackers to breach federal systems and disrupt our supply chains,” Sen. Gary Peters, D-Mich., said in a statement. “This bipartisan legislation will help federal employees identify potential threats to federal cybersecurity, and stop foreign adversaries and cybercriminals as they attempt to compromise our national security.”

There are few other specifics outlined in the bill regarding the structure and content of such trainings. The GSA administrator would be charged with setting up a program within six months of the bill’s passage into law, and must coordinate with the Federal Acquisition Security Council, the secretary of Homeland Security, the director of the Office of Personnel Management and consult the directors of national intelligence and the National Institute for Standards and Technology while developing the program.

The State and Local Government Cybersecurity Act would amend the 2002 Homeland Security Act to allow the federal government — through the National Cybersecurity and Integrations Center at DHS — to conduct cybersecurity exercises with state and local entities and provide them access to technical tools and other assistance, like setting up information sharing programs. It would also clear the way for federal officials to coordinate with state, local, tribal and territorial entities to set up vulnerability disclosure programs, information sharing programs and improvements to election security infrastructure.

The legislation comes at a time when state and local governments, schools and law enforcement agencies across the country are facing a wave of ransomware attacks that have crippled IT systems, disrupted services and created long-term clean up and recovery issues.

“As we’ve seen from the many recent cyberattacks, hackers with malicious intent can and do attack state and local cyber infrastructure consistently. Sometimes, state and local governments need some additional help or access to expertise to address these threats,” Sen. Rob Portman, R-Ohio, said in a statement.  

Both bills were introduced by Peters, who chairs the Senate Homeland Security and Governmental Affairs Committee. The State and Local Cybersecurity Government Act was also cosponsored by Portman and Sen. Jacky Rosen, D-Nev., while Sens. Maggie Hassan, D-N.H., and Ron Johnson, R-Wis., also cosponsored the Supply Chain Security Training Act.

Both bills now head to the House, where companion versions have been introduced by Rep. Joe Neguse, D-Colo., but have yet to pass through relevant committees or receive a floor vote.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.