Two bipartisan bills authored by U.S. Senator Gary Peters (D-MI) and U.S. Senator Rob Portman (R-OH) requiring critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyber-attack, and most entities to report if they make a ransomware payment, have advanced in the Senate. The legislation was approved by the Senate Homeland Security and Governmental Affairs Committee, where Peters serves as Chair and Portman serves as Ranking Member. The bills would improve federal agencies’ understanding of how to best combat online attacks, including ransomware, and to ensure our nation has the tools and resources it needs to protect federal information technology systems.
“Ransomware and other online assaults against public and private networks have caused gas shortages across the East Coast, allowed hackers to access critical federal systems, and compromised the sensitive information of millions of Americans. Our bipartisan legislation will help fight back against these serious threats by ensuring CISA is notified of any attack on critical infrastructure companies and civilian federal networks, as well as when most other entities make a ransomware payment,” said Senator Peters. “This information will help lead cybersecurity agencies and Congress in our efforts to establish a comprehensive strategy to punish cybercriminals for targeting American networks and prevent them from disrupting lives and livelihoods across our nation.”
“As cyber and ransomware attacks continue to increase, I’m pleased the Senate Homeland Security and Governmental Affairs Committee has passed our bipartisan Cyber Incident Reporting Act and bipartisan legislation to update the Federal Information Security Modernization Act (FISMA) because the federal government must be able to quickly coordinate a response and hold bad actors accountable,” said Senator Portman. “The Cyber Incident Reporting Act will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. Our bipartisan legislation to significantly update FISMA will provide the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.”
The Cyber Incident Reporting Act would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack. The bill also creates a requirement for other organizations, including businesses, nonprofits, and state and local governments, to notify the federal government within 24 hours if they make a ransom payment. The legislation directs federal agencies that are notified of attacks to provide that information to CISA and creates a Cybersecurity Incident Reporting Council to coordinate federal reporting requirements. The bill provides CISA with the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Entities that fail to comply with the subpoena can be referred to the Department of Justice and barred from contracting with the federal government. The legislation would also require entities who plan on making a ransom payment to evaluate alternatives before making the payment. Finally, the bill requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the National Cyber Director to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks.
The Federal Information Security Modernization Act of 2021 overhauls and updates the Federal Information Security Modernization Act of 2014 to support more effective cybersecurity practices throughout the federal government and improve coordination between the Office of Management and Budget (OMB), CISA, National Cyber Director, and other federal agencies and contractors when addressing online threats. The bill requires civilian agencies to report all cyber-attacks to CISA and major incidents to Congress, and provides additional authorities to CISA to ensure they are the lead agency for responding to incidents and breaches on federal civilian networks. The legislation also codifies aspects of President Biden’s Executive Order on Improving the Nation’s Cybersecurity to enforce higher level security protections for federal information systems and the sensitive data they often store. Finally, the bill requires OMB to develop guidance for federal agencies to use so they can efficiently allocate the cybersecurity resources they need to protect their networks.
As Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee, Peters and Portman have led several efforts to strengthen our nation’s cybersecurity. The senators convened a hearing with top federal cybersecurity officials to examine additional resources and authorities the federal government needs to deter cyber-attacks. In August, the senators released Federal Cybersecurity: America’s Data Still at Risk, a report on federal agency cybersecurity, focused on eight specific agencies that revealed ongoing improvements are also needed to federal agency cybersecurity. Peters and Portman’s bipartisan legislation to promote stronger cybersecurity coordination between DHS and state and local governments has advanced in the Senate. In June, the senators also convened the first hearing with the Chief Executive Officer of Colonial Pipeline to examine the ransomware attack against the company.