Senate Passes Act That Would Require Disclosing Cyberattacks
The Senate has passed legislation that among other requirements, would require critical infrastructure entities to report to the federal government when they are hacked.
In another sign that the U.S. government continues to take cybersecurity seriously, the Senate on Tuesday passed the Strengthening American Cybersecurity Act of 2022, legislation that would require companies that oversee U.S. critical infrastructure to report to the government when they've experienced a cybersecurity incident.
The legislation is actually a package, it contains three bills in total, the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act.
While the main portion of the bill - the Cyber Incident Reporting Act - would require organizations to report to the Cybersecurity and Infrastructure Security Agency (CISA) when they've been hacked within 72 hours and within 24 hours if they make a ransomware payment, other parts of the legislation are designed to enhance communication between federal agencies when it comes to cybersecurity dealings, give CISA more responsibilities when it comes to responding to incidents, and require the U.S. government to take a more risk-based approach to cybersecurity. Another part of the bill's package, the Federal Secure Cloud Improvement and Jobs Act, authorizes FedRAMP to ensure federal agencies are able to quickly embrace cloud technology.
The move is being done so FedRAMP, a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and monitoring, can better ferret out vulnerabilities in cloud-based software supply chains. The act ensures FedRAMP's procurement program will continue for the next five years and that cloud service providers have the appropriate security in place to continue to interact with agencies.
The Federal Information Security Modernization Act (FISMA) portion of the legislation is designed to update FISMA, first passed in 2002.
The law, which governs the cybersecurity of civilian agencies, made it a requirement for federal agencies to develop, document, and implement an information security and protection program but hasn’t been updated since 2014.
An important regulation for federal data security standards, experts have long argued that FISMA needs to be updated to reflect risks brought to light by supply chain attacks like log4j and SolarWinds and pivotal ransomware attacks like WannaCry and NotPetya, all which took place after the act was last updated.
While cybersecurity bills can move at a glacial pace in Washington, with Ukraine deep in the throes of a Russian invasion, fears over Russian cyberattacks - even in the U.S. - have become a more palpable threat now.
The package was passed unanimously on Tuesday, not even a month after they were introduced by Sen. Gary Peters (D-Mich.) and Rob Portman (R-OH), suggesting that how things have played out geopolitically accelerated the timeline on the package.
“As cyber and ransomware attacks continue to increase, the federal government must quickly coordinate its response and hold bad actors accountable. This bipartisan legislation will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” Portman said at the time. “This bill strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”
While U.S. has failed to advance measures in the past to address cybersecurity, sophisticated attacks carried out by Russia and China against U.S. targets have forced the country’s hands to make a stronger effort to fortify its cyber defenses over the last year or so.
Last year the White House issued an executive order mandating a series of stricter cybersecurity measures. As a result, last month the Department of Homeland Security launched its first Cyber Safety Review Board (CSRB) comprised of government and industry leaders to investigate major cybersecurity incidents, like log4j and SolarWinds.