The Senate has passed a bipartisan bill designed to harden U.S. cybersecurity in both public and private sectors requiring organizations to report significant cyberattacks and ransomware payments to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The proposed bill, Strengthening American Cybersecurity Act, combines language from three bills that Sens. Rob Portman (R-OH), Gary Peters (D-MI) authored and advanced out of their committee, including the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act.
In addition to requiring critical infrastructure owners and operators and civilian federal agencies to report significant cyberattacks and ransomware payments to CISA, the proposed law also seeks to modernize the government’s security posture and authorizes the Federal Risk and Authorization Management Program (FedRAMP) to ensure U.S. agencies can quickly and securely adopt cloud-based technologies, according to the U.S. Senate on Homeland Security and Governmental Affairs.
Per the proposed law, critical infrastructure owners and operators such as banks, electrical grids, water networks and transportation systems have three days to report substantial cyberattacks to CISA, and just 24 hours to report a ransomware payment.
In addition, the law would update federal government cybersecurity laws to improve coordination between agencies and require the government to take a risk-based approach to cybersecurity.
The bill also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks.
Also, the law would authorize FedRAMP for five years to ensure federal agencies can quickly and securely adopt cloud-based technologies to improve government efficiency.
The passage of the bill comes as CISA and other government agencies are warning U.S. organizations to be on the lookout for large-scale cyberattacks in the wake of Russian’s invasion of Ukraine, which has produced a litany of cyberattacks against both Ukrainian and Russian organizations.
To become law, the bill must also pass in the House and be signed by President Joe Biden.