WASHINGTON, D.C. – The Senate has passed a landmark legislative package authored by U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee, to significantly enhance our nation’s ability to combat ongoing cybersecurity threats against our critical infrastructure and the federal government. The legislation is urgently needed in the face of potential cyber-attacks sponsored by the Russian government in retaliation for U.S. support in Ukraine. The legislation combines language from three bills Peters and Portman authored and advanced out of their committee – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act. The combined bill, known as the Strengthening American Cybersecurity Act, would require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyber-attack. It would also require critical infrastructure owners and operators to report ransomware payments to CISA, modernize the government’s cybersecurity posture, and authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations and efficiency. The legislation now moves to the House where Peters and Portman are working closely with U.S. Representatives Yvette Clarke (D-NY-09), John Katko (R-NY-24), Carolyn Maloney (D-NY-12), James Comer (R-KY-01), Gerald Connelly (D-VA-11), and Jody Hice (R-GA-10) to pass the bill out of that chamber.
“As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyber-attacks from the Russian government. As we have seen repeatedly, these online attacks can significantly disrupt our economy – including by driving up the price of gasoline and threating our most essential supply chains – as well as the safety and security of our communities. This landmark legislation, which has now passed the Senate, is a significant step forward to ensuring the United States can fight back against cybercriminals and foreign adversaries who launch these persistent attacks,” said Senator Peters. “Our landmark, bipartisan bill will ensure CISA is the lead government agency responsible for helping critical infrastructure operators and civilian federal agencies respond to and recover from major network breaches and mitigate operational impacts from hacks. I will continue urging my colleagues in the House to pass this urgently needed legislation to improve public and private cybersecurity as new vulnerabilities are discovered, and ensure that the federal government can safety and securely utilize cloud-based technology to save taxpayer dollars.”
“I am concerned that, as our nation rightly continues to support Ukraine during Russia’s illegal, unjustifiable assault, the United States will face increased cyber and ransomware attacks from Russia in retaliation. The federal government must quickly coordinate its response to potential attacks and hold these bad actors accountable. That’s why I’m proud that the Senate moved quickly to pass our bipartisan Strengthening American Cybersecurity Act to give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation daily to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” said Senator Portman. “In addition, since 2019, through bipartisan investigative reports, I have highlighted the failings of federal agencies to protect their networks. This legislation will address recommendations in those reports to significantly update FISMA, providing the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.”
Last year, hackers breached the network of a major oil pipeline forcing the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortages for communities across the East Coast. Last summer, the country’s largest beef supplier was hit by a cyber-attack, prompting shutdowns at company plants and threatening meat supplies all across the nation. As these kinds of attacks continue to rise, Peters and Portman’s legislation would help ensure critical infrastructure entities such as banks, electric grids, water networks, and transportation systems are able to quickly recover and provide essential services to the American people in the event of network breaches.
The Strengthening American Cybersecurity Act would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack, and within 24 hours if they make a ransomware payment. Additionally, the package would update current federal government cybersecurity laws to improve coordination between federal agencies, require the government to take a risk-based approach to cybersecurity, as well as require all civilian agencies to report all cyber-attacks to CISA, and update the threshold for agencies to report cyber incidents to Congress. It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks. Finally, the package would authorize FedRAMP for five years to ensure federal agencies are able to quickly and securely adopt cloud-based technologies that improve government efficiency and save taxpayer dollars.
Click here to view text of Peters and Portman’s bipartisan cybersecurity legislation that passed the Senate.