The Senate on Tuesday passed a bill that would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovering that they’ve been the victim of a cyber incident.
The bipartisan bill, which consolidates three pieces of cybersecurity legislation, now goes to the House where there is also broad support. Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio), authors of the Strengthening American Cybersecurity Act (S. 3600), said on Wednesday they are working with a bipartisan group of legislators from the House Homeland Security, and Oversight and Government Reform Committees to get the bill passed in the House, which approved similar legislation last year.
The cyber incident reporting bill was approved by unanimous consent and, if ultimately passed into law, would signify a major shift in the nation’s battle against bad actors in cyber space, moving from a largely voluntary reporting regime to one that is mandatory, at least when an incident could threaten national security, economic security, or public health and safety.
CISA, which is part of the Department of Homeland Security, maintains that having reports of significant cybersecurity incidents allows it to analyze the threat data and give it more information that it can then share with its relevant stakeholders and partners in the public and private sector to help them defend their networks from similar attacks.
“The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” CISA Director Jen Easterly told Peters’ committee last September.
Supporters of the incident reporting legislation had hoped to include it as part of the fiscal year 2022 National Defense Authorization Act signed into law in late December but were unable to get enough support at the time. Peters, who chairs the Senate Homeland Security and Governmental Affairs Committee, highlighted the specter of Russian cyber-attacks against the U.S. in response to America’s active support for Ukraine to help counter Russia’s unprovoked war against its neighbor.
“As we have seen repeatedly, these online attacks can significantly disrupt our economy, including by driving up the price of gasoline and threatening our most essential supply chains, as well as the safety and security of our communities,” Peters said Wednesday in a statement. “This landmark legislation, which has now passed the Senate, is a significant step forward to ensuring the United States can fight back against cyber criminals and foreign adversaries who launch these persistent attacks.”
The bill also requires owners and operators of critical infrastructure entities to report to CISA within 24 hours if they make a ransomware payment.
Companies and entities reporting cyber incidents to CISA would receive liability protections and their information and information related to individuals would not be publicly disclosed.
A Cyber Incident Reporting Council would also be authorized to be led by DHS and include other federal partners to “coordinate, deconflict, and harmonize Federal incident reporting requirements, including those issued through regulations,” the bill says.
The cybersecurity legislation also includes a provision to reform the Federal Information Modernization Security Act, better known as FISMA, to direct the federal government to shift to a zero-trust architecture. The government is already moving in this direction through an executive order issued by President Biden in May 2021.
A zero-trust architecture means that networks are assumed to already be compromised, requiring various security layers such as the use of multi-factor authentication for users to work on a network.
The bill also includes the Federal Secure Cloud Improvement and Jobs Act, which authorizes the Federal Risk and Authorization Management Program for another five years and updates the program to ensure federal agencies can quickly and securely adopt cloud-based technologies.