The Senate on March 1 approved by unanimous consent the Strengthening American Cybersecurity Act of 2022.
The bill is a sweeping legislative package introduced last month that aims to update the Federal Information Security Management Act (FISMA), codify the General Services Administration’s Federal Risk and Authorization Management Program (FedRAMP), and require timely cyber incident reporting by critical infrastructure providers.
Sponsors Cite Russian Threats
The sponsors of the legislative package – Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio – both cited heightened concerns about cyberattacks from Russia following last night’s Senate approval.
Sen. Peters called the bill “common-sense bipartisan legislation that will help protect critical infrastructure from the absolutely relentless cyberattacks that we see that threaten both our economy as well as our national security.”
“I think this is especially important right now as we face increased risk of cyberattacks from Russia and the cybercriminals that they harbor in retaliation of our for our support for Ukraine,” Sen. Peters said.
Sen. Portman said the Strengthening American Cybersecurity Act of 2022 will give the National Cyber Director and other Federal agencies “broad visibility into the cyberattacks taking place across our nation daily.”
“I’m concerned that, as our nation rightly continues to support Ukraine during Russia’s illegal, unjustifiable assault, the U.S. will face increased cyber & ransomware attacks from Russia,” the senator said. “The federal government must quickly coordinate its response to any potential attacks.”
“This bipartisan legislation will work to hold these bad actors accountable and enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” Sen. Portman said.
Awaiting House Action
With Senate approval wrapped up, the legislative package awaits consideration in the House. The package approved by the Senate tracks broadly – but far from exactly – with existing legislative efforts in the House.
On the FedRAMP front, the House in January 2021 approved legislation offered by Rep. Gerry Connolly, D-Va., chairman of the House Government Operations Subcommittee, that would codify the program into law, provide $20 million of funding to run it, and work to reduce duplication of security assessments by presuming adequacy for cloud technologies that have already received FedRAMP certification.
The bill also would require the General Services Administration – which runs the FedRAMP program – to automate security assessments and reviews. And it would establish a Federal Secure Cloud Advisory Committee to coordinate acquisition and adoption of cloud products by the Federal government.
Rep. Connolly hailed last month’s introduction of the cybersecurity package legislation in the Senate, saying the legislation puts Congress “on the cusp” of FedRAMP reform, and brings legislators “another step closer to reforming, streamlining, and codifying this critical cybersecurity regime for Federal cloud technologies.”
The Senate’s unanimous approval of the cybersecurity package appears to bode well for overcoming what had been strenuous industry objections to mandatory cyber incident reporting requirements on critical infrastructure providers. An attempt to attach incident reporting legislation to the Fiscal Year 2022 National Defense Authorization Act earlier this year was unsuccessful.
On the House side, Reps. Yvette Clarke, D-N.Y., who chairs the House Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, and John Katko, R-N.Y., ranking member on the House Homeland Security Committee, are cosponsors of the Cyber Incident Reporting for Critical Infrastructure Act of 2021. That bill would require critical infrastructure owners and operators to report any cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours.
Both House members said in January that cyber incident reporting was among their top legislative priorities for 2022.