The top Democrat and Republican on the Senate Homeland Security Committee on Monday introduced a bill that combines three cybersecurity measures introduced last year, including requiring owners and operators of critical infrastructures and federal civilian agencies and contractors to report significant cyber-attacks to the cybersecurity and infrastructure security agency (CISA).
The Strengthening American Cybersecurity Act consolidates the Cyber Incident Reporting Act, the Federal Information Security Modernization Act (FISMA) of 2021, and the Federal Secure Cloud Improvement and Jobs Act. The combined bill was introduced by Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio), the chairman and ranking member, respectively, of the Homeland Security and Governmental Affairs Committee.
Backers of the incident reporting measure in the Senate and House had tried but failed last year to include the bill in the fiscal year 2022 National Defense Authorization Act that President Biden signed into law in December. Critical infrastructure entities covered in the cyber bill would have 72 hours to report after discovering an incident has occurred and report within 24 hours if they make a ransomware payment.
After scrubbing and reviewing the information, CISA would be required to share it with the public.
“I think the incident reporting requirements that have been discussed and proposed would add to CISA’s ability to understand not just long-term trends and cybersecurity threats, but potentially threats across industry sectors where there might be silos in reporting at the moment,” Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council, said on Tuesday in response to a question from Peters about the bill during a hearing to examine the widespread Log4Shell open source code vulnerability discovered in late 2021.
The federal government currently has limited authorities to require the reporting of cyber incidents by the private sector. CISA typically works with the private sector on a voluntary basis.
Last year, after a ransomware attack forced a major pipeline operator to temporarily shut down operations out of an abundance of caution, the Transportation Security Administration exercised existing authorities requiring pipeline, and freight and passenger rail operators to report to CISA on cyber incidents affecting their networks. The attack on Colonial Pipeline led to fuel shortages in certain areas of the Eastern U.S., prompting incident reporting bills in the House and Senate.
A version of the FISMA reform legislation was unanimously approved last week by the House Oversight and Government Reform Committee. If it becomes law, the bill would be the first update to FISMA since 2014.
The pending FISMA bills in the House and Senate would direct the federal government to shift to a zero-trust architecture, which assumes that networks have been compromised, and have similar language directing the Office of Management and Budget to develop risk-based budget models for cybersecurity spending and have CISA study active defense techniques to improve the security of agencies and plan for a centralized federal security operation center within the agency.
The Federal Secure Cloud Improvement and Jobs Act included in the consolidated bill updates and makes permanent the Federal Risk and Authorization Management Program, to make sure federal agencies can quickly and securely adopt cloud-based technologies.
“This bipartisan legislation will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable whole-of-government response, mitigation, and warning to critical infrastructures and others of ongoing and imminent attacks,” Portman said in a statement. “This bill strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”