US Senate Passes Incident Reporting, FISMA Update BillLegislative Package Passed by Unanimous Consent Amid Ukraine Conflict
The U.S. Senate has passed a landmark cybersecurity package that bundles three substantial measures - mandatory 72-hour incident reporting for critical infrastructure, an update to federal IT security strategy, and authorization for the governmentwide program standardizing security assessment, authorization and monitoring for cloud services.
The bill, spearheaded by leaders of the Homeland Security and Governmental Affairs Committee, was passed through Congress' upper chamber by unanimous consent, with officials citing escalating cyberthreats stemming from Russia's war in Ukraine.
The bill, the Strengthening American Cybersecurity Act, was sponsored by Sen. Gary Peters, D-Mich., the committee chairman, and its ranking member, Sen. Rob Portman, R-Ohio. The lawmakers had previously pushed stand-alone legislation for the provisions - and had attached incident reporting and updates to the Federal Information Security Management Act, known as FISMA, to the must-pass defense spending bill for 2022, the National Defense Authorization Act. Although there had been bipartisan consensus, the measure fell through at the eleventh hour in December 2021.
Now, both Peters and Portman say in a statement that their reworked bill will "significantly enhance [the] nation's ability to combat ongoing cybersecurity threats against our critical infrastructure and the federal government." They say that the legislation is "urgently needed in the face of potential cyberattacks sponsored by the Russian government in retaliation for U.S. support in Ukraine."
The Bill's Components
The package combines language from three bills Peters and Portman advanced out of committee - the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act. It would require critical infrastructure owners and operators to report to the U.S. Cybersecurity and Infrastructure Security Agency within 72 hours if they experience a substantial cyberattack and within 24 hours if they make a ransomware payment.
The package would update current federal government cybersecurity laws to improve coordination between federal agencies, require the federal government to take a risk-based approach to cybersecurity, and require civilian agencies to report all cyberattacks to CISA and update the threshold for agencies to report cyber incidents to Congress.
The bill also provides additional authorities to CISA to ensure it is the lead federal agency in charge of responding to cyber incidents on federal civilian networks. The measure follows questions from some lawmakers in 2021 who cited growing bureaucracy and complicated jurisdictional boundaries among federal cybersecurity officials. This followed the confirmations of both CISA Director Jen Easterly and the new cabinet-level cybersecurity adviser, National Cyber Director Chris Inglis.
The three-part bill would also authorize the Federal Risk and Authorization Management Program, known as FedRAMP, for five years, which Peters and Portman say will "ensure federal agencies are able to quickly and securely adopt cloud-based technologies that improve government efficiency and save taxpayer dollars."
The legislation will move to the House, where Peters and Portman say they are working closely with Reps. Yvette Clarke, D-N.Y.; John Katko, R-N.Y.; Carolyn Maloney, D-N.Y.; James Comer, R-Ky.; Gerald Connelly, D-Va.; and Jody Hice, R-Ga.; to pass the bill out of that chamber.
The Senate sponsors expressed their relief on the passage in a statement issued on Wednesday, as CISA and national security agencies continue to warn of potential Russian cyber retaliation, as their economy reels from Western sanctions targeting Russian oligarchs, the country's state banks and - after it was partially excluded from the worldwide bank messaging system - SWIFT.
"As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyberattacks from the Russian government. As we have seen repeatedly, these online attacks can significantly disrupt our economy - including driving up the price of gasoline and threatening our most essential supply chains - as well as the safety and security of our communities," Peters says. "This landmark legislation … is a significant step forward to ensuring the U.S. can fight back against cybercriminals and foreign adversaries who launch these persistent attacks."
Peters says he will be pushing the "urgently needed legislation" to his counterparts in the House, who will reconcile some differences. Notably, in the House version of FISMA modernization, there is a clause codifying the role of the federal CISO within the Office of Management and Budget, but it is absent in the Senate bill.
Portman says: "I am concerned that, as our nation rightly continues to support Ukraine during Russia's illegal, unjustifiable assault, the U.S. will face increased cyber and ransomware attacks from Russia in retaliation. The federal government must quickly coordinate its response to potential attacks and hold these bad actors accountable.
"That's why I'm proud that the Senate moved quickly to pass our bipartisan [bill] to give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation daily, to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks."
'An Encouraging Step'
And Hugh Taylor, director of the nonpartisan think tank the Cyber Policy Institute, tells ISMG of the passage: "[It's] an encouraging step toward making critical infrastructure more secure from cyberattacks. [And] the timing does not seem like a coincidence, as we have had warnings from CISA and other agencies about increased risks of cyberattacks from Russia in response to sanctions. … It is the right time to focus on cybersecurity in Congress."
One challenge posed by the bill, Taylor says, is "how quickly and effectively" CISA can respond to incident reporting. And while FISMA and FedRAMP are "positive moves," he says, "execution will be essential for success."
Ross Nodurft, executive director of the Alliance for Digital Innovation, senior director of cybersecurity services at the law firm Venable and former chief of OMB's cybersecurity team, says despite this positive momentum, "more work needs to be done to fully fund federal agency cybersecurity requirements while streamlining many of the compliance redundancies that slow down agency acquisition."
'Seen the Light'
Officials have called for related FISMA modernization for a long time - as the bill originally passed in 2002 and has not been modified since 2014, during the Obama administration.
In a recent work session advancing the House FISMA bill, Comer, the Kentucky Republican and Oversight and Reform Committee ranking member, said that since the last modification, "We have seen criminal organizations, nation-states and all manner of enemies unleash a nonstop barrage of cyberattacks against American companies and federal agencies. These threats are becoming more sophisticated and … [jeopardize] national security [and] even the personal safety of [the] American people" (see: House Committee Advances FISMA Modernization Act).
Officials and industry watchers say the modernization efforts will afford CISA proper operational coordination abilities, allow Inglis' office to develop overall cyber strategy, emphasize real-time information sharing and ease compliance burdens.
From the Senate floor on Tuesday, Senate Majority Leader Chuck Schumer, D-N.Y., added: "Today, the Senate is taking an urgently needed step to protect the American people, critical infrastructure, and government institutions from the dangerous threat of cyberattacks."
He added: "This legislation has been around for a while. For too long, certain business interests opposed it. But now they have come to see the light and, in fact, we have a bipartisan agreement - unanimous in this chamber - that this bill [will] move forward. … Cyberwarfare is truly one of the dark arts specialized by Putin and his authoritarian regime. And this bill will help protect us from Putin's attempted cyberattacks."
Rebuke from DOJ
After news of the bill's passage in the Senate, U.S. Department of Justice officials decried its lack of reporting mandates directly to the FBI. In fact, in a statement shared with Politico, Deputy Attorney General Lisa Monaco said the bill leaves "one of our best tools, the FBI, on the sidelines" and "makes us less safe at a time when we face unprecedented threats."
FBI Director Christopher Wray also told Politico that the bill, as written, has "serious flaws" and "would make the public less safe from cyber threats," particularly slowing the FBI's response to imminent threats.
Spokespeople for Sens. Peters and Portman pushed back against the claim, citing the bill's unanimous consent and telling the same outlet that the modified package contains input from the DOJ and FBI.
Update - March 3, 11 a.m. EST - This article has been updated with critical feedback from the DOJ and FBI.