Senate passes cybersecurity act forcing orgs to report cyberattacks, ransom payments

The US Senate approved new cybersecurity legislation that will force critical infrastructure organizations to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. 

The Strengthening American Cybersecurity Act passed by unanimous consent on Tuesday after being introduced on February 8 by Senators Rob Portman and Gary Peters, ranking member and chairman of the Senate Homeland Security and Governmental Affairs Committee. 

The act combines pieces of the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act — all of which were authored by Peters and Portman and advanced out of committee before floundering. 

The 200-page act includes several measures designed to modernize the federal government’s cybersecurity posture, and both Peters and Portman said the legislation was “urgently needed” in light of US support for Ukraine, which was invaded by Russia last week. 

“As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyber-attacks from the Russian government… This landmark legislation, which has now passed the Senate, is a significant step forward to ensuring the United States can fight back against cybercriminals and foreign adversaries who launch these persistent attacks,” Peters said. 

“Our landmark, bipartisan bill will ensure CISA is the lead government agency responsible for helping critical infrastructure operators and civilian federal agencies respond to and recover from major network breaches and mitigate operational impacts from hacks. I will continue urging my colleagues in the House to pass this urgently needed legislation to improve public and private cybersecurity as new vulnerabilities are discovered, and ensure that the federal government can safety and securely utilize cloud-based technology to save taxpayer dollars.”

The act also authorizes the Federal Risk and Authorization Management Program (FedRAMP) for five years to ensure federal agencies can “quickly and securely adopt cloud-based technologies that improve government operations and efficiency.” The act attempts to streamline federal government cybersecurity laws to improve coordination between federal agencies and requires all civilian agencies to report all cyberattacks to CISA.

The legislation updates the threshold for agencies to report cyber incidents to Congress and gives CISA more authority to ensure it is the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks. 

It now heads to the House for a vote before it makes its way to President Joe Biden’s desk. Peters and Portman said they have been working with chair of the House Oversight Committee Carolyn Maloney as well as Republican and Democratic lawmakers in the House to get the bill approved. 

Maloney told ZDNet that the act contains the Federal Information Security Modernization Act, a provision she called one of her “top legislative priorities.”

“The Committee on Oversight and Reform kicked off 2022 with a bipartisan hearing and markup to examine how best to approach FISMA modernization, and we look forward to incorporating those crucial lessons learned as this effort moves through the legislative process,” Maloney said. 

“FISMA reform will determine our federal cybersecurity posture for years to come, and it is essential that the final bill seizes every opportunity to defend our federal networks from the onslaught of attacks they face daily.”

In his own statement, Portman also touted the ways the act will update FISMA and provide “the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.”

Both Senators noted that the bill would have applied to the 2021 ransomware attacks on Colonial Pipeline and global meat processor JBS. But the two said the legislation would “help ensure critical infrastructure entities such as banks, electric grids, water networks, and transportation systems are able to quickly recover and provide essential services to the American people in the event of network breaches.” 

CyberSaint co-founder Padriac O’Reilly works directly with critical infrastructure across financial services, utilities, and the government to measure cyber risk.

O’Reilly explained that the current cybersecurity landscape has worn down the long-standing recalcitrance of certain critical infrastructure sectors with respect to the 72-hour reporting window for incidents. 

“There are two sections very deep in the legislation that stand out to me. They talk about a budget-based risk analysis for improving cybersecurity and metrics-based approach to cyber in general. This is precisely what is needed and it has been known for some time in the industry,” O’Reilly said. 

“Section 115 covers automation reporting. This is very timely as automation has been advancing in the private sector and it is key with respect to risk management going forward. I was really impressed to see this in the bill. The government has been trying for years to advance this cause across all agencies and departments. Section 119 really gets at the holy grail in risk management, which is the ability to view cybersecurity risks in a prioritized way with respect to budget.”