WASHINGTON, DC – U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), Ranking Member and Chairman of the Senate Homeland Security and Governmental Affairs Committee, introduced a landmark legislative package that would significantly enhance our nation’s ability to combat ongoing cybersecurity threats against our critical infrastructure and the federal government – particularly in the face of potential cyberattacks sponsored by the Russian government in retaliation for U.S. support of Ukraine. The legislation combines language from three bills Portman and Peters authored and advanced out of their Committee – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act. The combined bill, known as the Strengthening American Cybersecurity Act, will require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyberattack. It would also require critical infrastructure owners and operators to report ransomware payments to CISA, modernize the government’s cybersecurity posture, and authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations and efficiency. Portman and Peters are working closely with U.S. Representatives John Katko (R-NY), Yvette Clarke (D-NY), James Comer (R-KY), Carolyn Maloney (D-NY), Jody Hice (R-GA), and Gerald Connelly (D-VA) who have led these efforts in the House.
“As cyber and ransomware attacks continue to increase, the federal government must quickly coordinate its response and hold bad actors accountable. This bipartisan legislation will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. This bill strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements,” said Senator Portman. “In addition, since 2019, through bipartisan investigative reports, I have highlighted the failings of federal agencies to protect their networks. I am glad this legislation will address recommendations in those reports to significantly update FISMA, providing the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.”
“Cyber-attacks against federal networks and critical infrastructure companies – including oil pipelines, meatpacking centers, and wastewater treatment plants – have disrupted lives and livelihoods across the country. That is why, for months, I have been leading efforts to fight back against cybercriminals and foreign adversaries who launch these incessant attacks,” said Senator Peters. “It is clear that, as our nation continues to counter cyber threats and support Ukraine, we need to pass this legislation to provide additional tools to address possible cyber-attacks from adversaries, including the Russian government. This landmark, bipartisan legislative package will provide our lead cybersecurity agency, CISA, with the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches. Our efforts will significantly bolster and modernize federal cybersecurity as new, serious software vulnerabilities continue to be discovered, such as the one in log4j. This combined bill will also ensure that agencies can procure cloud-based technology quickly, while ensuring these systems, and the information they store, are secure.”
Last year, hackers breached the network of a major oil pipeline forcing the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortages for communities across the East Coast. Last summer, the world’s largest beef supplier was hit by a cyberattack, prompting shutdowns at company plants and threatening meat supplies all across the nation. As these kinds of attacks continue to rise, Portman and Peters’s legislation will help ensure critical infrastructure entities such as banks, electric grids, water networks, and transportation systems are able to quickly recover and provide essential services to the American people in the event of network breaches.
The Strengthening American Cybersecurity Act will require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyberattack, and within 24 hours if they make a ransomware payment. Additionally, the package would update current federal government cybersecurity laws to improve coordination between federal agencies, require the government to take a risk-based approach to cybersecurity, as well as require all civilian agencies to report all cyberattacks to CISA, and update the threshold for agencies to report cyber incidents to Congress. It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks. Finally, the package would authorize FedRAMP for five years to ensure federal agencies are able to quickly and securely adopt cloud-based technologies that improve government efficiency and save taxpayer dollars.
Click here to view text of Portman and Peters’s bipartisan cybersecurity legislation.