Leaders on the Senate Homeland Security Committee reintroduced a combined package of three cyber related bills that missed the cut for last year’s National Defense Authorization Act, saying they intend to push for their passage all at once in a legislative vehicle yet to be determined.
Last year, the committee introduced three bills that were viewed as a priority to modernize the government’s cybersecurity operations.
One, the Cyber Incident Reporting Act, would require critical infrastructure owners to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours when they are hacked or suffer a significant cyber incident. Another modernizes the Federal Information Security Management Act, the primary law governing the cybersecurity of civilian agencies, and incorporates newer entities like CISA and the national cyber director into the federal reporting chain. A third is designed to codify FedRAMP, the civilian government’s cloud security certification program, into law and better account for vulnerabilities in the software supply chains of cloud service providers.
The combined bill was introduced at the start of a hearing the committee held Tuesday around the Log4j vulnerability. Peters and others cited the widespread attack surface that bugs like Log4j can exploit on public and private sector networks, as well as incidents like the Colonial Pipeline and JBS ransomware attacks to justify its quick passage.
“All three are absolutely essential for our cybersecurity, they’ve all passed out of committee…we’re hoping to move it as a package quickly,” Peters told SC Media following the hearing.
Initially, the committee was looking at two possible legislative vehicles to attach the bills: an upcoming government funding agreement and as part of the United States Innovation and Competition Act, which passed the Senate last year. However, House Democrats passed their own version of USICA last week and the bill will now move to conference without the trio. With Congress honing in on another short-term continuing resolution, neither of those bills appear to be realistic options at this point.
The Critical Incident Reporting Act, meanwhile, was dropped from the NDAA after Democrats and Republicans failed to reach consensus on the scope of legislative language requiring some companies to report ransomware payments to the government. The new legislation places the director of CISA in charge of developing regulatory rules within two years that would in part provide “a clear description of the types of entities that constitute covered entities,” their likelihood of being targeted by malicious hackers or foreign governments and the extent that a compromise of that entity could disrupt the reliable operation of critical infrastructure.
Peters told SC Media that he and other stakeholders are now taking an all-of-the-above approach to getting the package passed into law, either through attachment to another piece of major legislation or pushing for a vote as a standalone bill. He said it was important for Congress to move swiftly as the U.S. and Russia continue to spar over a potential invasion of Ukraine and federal agencies need to be prepared for the possibility of blowback in the digital realm.
“We will pass it any way we can," Peters said. "We believe time is of the essence and particularly given the potential threat of Russian activity as a result of what’s happening in the Ukraine, that it's critically important for our cybersecurity agencies to have every tool in their toolbox."
As SC Media has previously reported, the committee began looking to move all three pieces of legislation as part of a package deal following the NDAA. In January, a congressional aide said that the pairing was at the request of Portman, who was initially skeptical of the FedRAMP bill but agreed to support it after changes were made to the legislative text and committee Democrats agreed to move it in tandem with FISMA, which Portman views as a priority.
Portman’s office was initially “very cool on the FedRAMP bill, they didn’t see the need to codify the program” the aide said, and requested a number of changes, including language explicitly preventing certified cloud service providers from using software code developed in countries like China or Russia, before supporting the bill. Still, he views FISMA as a higher priority and wanted the committee’s actions to reflect that, and Peters and committee Democrats do not object to that view.
“I will say this: FedRAMP is not going to pass or be signed into law before FISMA because Rob Portman says so,” the aide said. “And that’s fine, if they get signed at the same time or FISMA beats [FedRAMP] by a day, that’s cool.”