Portman, Peters Bipartisan Bills Strengthening Federal and Private Sector Cybersecurity Advance in Senate

WASHINGTON, DC – Today, U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee, announced their Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021 were approved by the Senate Homeland Security and Governmental Affairs Committee. The bipartisan bills will require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyberattack, and most entities to report if they make a ransomware payment. The bills will improve federal agencies’ understanding of how to best combat online attacks, including ransomware, and ensure our nation has the tools and resources it needs to protect federal information technology systems. 

“As cyber and ransomware attacks continue to increase, I’m pleased the Senate Homeland Security and Governmental Affairs Committee has passed our bipartisan Cyber Incident Reporting Act and bipartisan legislation to update the Federal Information Security Modernization Act (FISMA) because the federal government must be able to quickly coordinate a response and hold bad actors accountable,” said Senator Portman. “The Cyber Incident Reporting Act will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. Our bipartisan legislation to significantly update FISMA will provide the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.” 

“Ransomware and other online assaults against public and private networks have caused gas shortages across the East Coast, allowed hackers to access critical federal systems, and compromised the sensitive information of millions of Americans. Our bipartisan legislation will help fight back against these serious threats by ensuring CISA is notified of any attack on critical infrastructure companies and civilian federal networks, as well as when most other entities make a ransomware payment,” said Senator Peters. “This information will help lead cybersecurity agencies and Congress in our efforts to establish a comprehensive strategy to punish cybercriminals for targeting American networks and prevent them from disrupting lives and livelihoods across our nation.” 

The Cyber Incident Reporting Act would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack. The bill also creates a requirement for other organizations, including businesses, nonprofits, and state and local governments, to notify the federal government within 24 hours if they make a ransom payment. The legislation directs federal agencies that are notified of attacks to provide that information to CISA and creates a Cybersecurity Incident Reporting Council to coordinate federal reporting requirements. The bill provides CISA with the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Entities that fail to comply with the subpoena can be referred to the Department of Justice and barred from contracting with the federal government. The legislation would also require entities who plan on making a ransom payment to evaluate alternatives before making the payment. Finally, the bill requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the National Cyber Director to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks. 

The Federal Information Security Modernization Act of 2021 overhauls and updates the Federal Information Security Modernization Act of 2014 to support more effective cybersecurity practices throughout the federal government and improve coordination between the Office of Management and Budget (OMB), CISA, National Cyber Director, and other federal agencies and contractors when addressing cyber threats. The bill requires civilian agencies to notify individuals when their information is compromised, report major incidents to Congress. The legislation also codifies aspects of President Biden’s Executive Order on Improving the Nation’s Cybersecurity to enforce higher-level security protections for federal information systems and the sensitive data they store. Finally, the bill requires OMB to issue guidance to federal agencies to efficiently allocate the cybersecurity resources they need to protect their networks.   

As Ranking Member and Chairman of the Homeland Security and Governmental Affairs Committee, Portman and Peters have led several efforts to strengthen our nation’s cybersecurity. The senators convened a hearing with top federal cybersecurity officials to examine additional resources and authorities the federal government needs to deter cyberattacks. In August, the senators released Federal Cybersecurity: America’s Data Still at Risk, a report on eight specific agencies that revealed ongoing improvements are also needed to federal agency cybersecurity. Portman and Peters’ bipartisan legislation to promote stronger cybersecurity coordination between DHS and state and local governments has advanced in the Senate. In June, the senators also convened the first hearing with the Chief Executive Officer of Colonial Pipeline to examine the ransomware attack against the company.