Senate lawmakers propose combining cyber incident reporting, FedRAMP and FISMA legislation
Senate lawmakers Tuesday introduced new legislation that would enact new cyber incident reporting requirements across the private sector and public agencies if it passes into law.
Sens. Rob Portman, R-Ohio, and Gary Peters, D-Mich., introduced the new Strengthening American Cybersecurity Act, intended to improve the likelihood of passing into law by marrying aspects of the previously proposed Cyber Incident Reporting Act, Federal Information Security Modernization Act of 2021 and the Federal Secure Cloud Improvement and Jobs Act.
If it passes, it will require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyberattack.
In addition, it would mandate the reporting of all ransomware payments to CISA and authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies fast-track the adoption of cloud technologies.
The latest attempt to pass legislation that would mandate cyber incident reporting comes after a compromise version of the fiscal 2022 National Defense Authorization Act in December left out language that would set timeframes within which critical infrastructure owners and operators must report major incidents.
Lawmakers working with Peters and Portman on the new legislative proposals include Reps. Yvette Clarke, D-N.Y., John Katko R-N.Y., Carolyn Maloney D-N.Y., James Comer R-Ky., Gerry Connelly, D-Va. and Jody Hice, R-Ga.
“It is clear that, as our nation continues to counter cyber threats and support Ukraine, we need to pass this legislation to provide additional tools to address possible cyber-attacks from adversaries, including the Russian government,” Peters said.
Portman added: “This bipartisan legislation will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. This bill strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”
The new bill would substantially boost the role of CISA as the federal agency responsible for overseeing and enforcing cybersecurity standards across the federal government and also the private sector.
It comes amid wide-ranging debate over the role and funding given to the four-year-old agency.
Writing in Foreign Affairs last month, former Principal Deputy Director of National Intelligence Sue Gordon and former Assistant Secretary of Defense for Homeland Defense and Global Security Eric Rosenbach argued that CISA’s $3 billion annual budget should be tripled over the next four years.