WASHINGTON, D.C. – U.S. Senators Gary Peters (D-MI), Rob Portman (R-OH), Mark Warner (D-VA), and Susan Collins (R-ME) introduced a bipartisan amendment to the annual defense authorization bill to require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyber-attack, and most entities to report if they make a ransomware payment. The amendment is based on the Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021 authored by Peters and Portman, and advanced by the Homeland Security and Governmental Affairs Committee, where they serve as Chairman and Ranking Member, respectively.
“Cyber-attacks and ransomware attacks are a serious national security threat that have affected everything from our energy sector to the federal government and Americans’ own sensitive personal information,” said Senator Peters, Chairman of the Homeland Security and Governmental Affairs Committee. “I’m grateful to my colleagues for working together to introduce this bipartisan amendment that will take significant steps to strengthen cybersecurity protections, ensure that CISA is at the forefront of our nation’s response to serious breaches, and most importantly, requires timely reporting of these attacks to the federal government so that we can better prevent future incidents and hold attackers accountable for their crimes.”
“As cyber and ransomware attacks continue to increase, the federal government must be able to quickly coordinate a response and hold bad actors accountable,” said Senator Portman, Ranking Member of the Homeland Security and Governmental Affairs Committee. “That’s why I’m proud to introduce this bipartisan amendment to the FY 2022 NDAA to update the Federal Information Security Modernization Act (FISMA) and give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. This bipartisan amendment to significantly update FISMA will provide the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.”
“It seems like every day, Americans wake up to the news of another ransomware attack or cyber intrusion, but the SolarWinds hack showed us that there is nobody responsible for collecting information on the scope and scale of these incidents,” said Senator Warner, Chairman of the Senate Select Committee on Intelligence. “We can’t rely on voluntary reporting to protect our critical infrastructure – we need a routine reporting requirement so that when vital sectors of our economy are affected by a cyber breach, the full resources of the federal government can be mobilized to respond to, and stave off, its impact. I’m glad we were able to come to a bipartisan compromise on this amendment addressing many of the core issues raised by these high-profile hacking incidents.”
“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” said Senator Collins. “My 2012 bill would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector. Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure. I urge my colleagues to pass our amendment, which is common sense and long overdue.”
The amendment would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack. Many other organizations, including businesses, nonprofits, and state and local governments, would also be required to report to the federal government within 24 hours if they make a ransom payment following an attack. Additionally, the amendment would update current federal government cybersecurity laws to improve coordination between federal agencies, force the government to take a risk-based approach to security, as well as require all civilian agencies to report all cyber-attacks to CISA, and major cyber incidents to Congress. It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks.