A bipartisan group of four senators have introduced an amendment into a defense spending bill that, among other things, would require critical infrastructure owners and operators to report a cyberattack within three days.
According to Sens. Mark Warner (D-VA), Gary Peters (D-MI), Rob Portman (R-OH), and Susan Collins (R-ME), the amendment is based on the Cyber Incident Reporting Act and Federal Information Security Modernization Act on 2021 that were advanced out of the Senate’s Homeland Security and Governmental Affairs Committee last month.
The amendment is largely designed to give federal cybersecurity experts, including the National Cyber Director and CISA, more authority to respond to cyber incidents.
The amendment seeks to require critical infrastructure owners and operators would have 72hours to report a cyberattack to the U.S. Cybersecurity and Infrastructure Security Agency.
In addition to requiring critical infrastructure entities to report a cyberattack, the amendment to the annual defense authorization bill would require other organizations, including businesses, nonprofits and state and local governments to report to the federal government within 24 hours if they make a ransom payment.
The amendment would also update current federal government cybersecurity laws to improve coordination between federal agencies, force the government to take a risk-based approach to security and require civilian agencies to report all attacks to CISA. Major cyber incidents would also have to be reported to Congress.
The proposed law would also grant CISA additional power to lead the U.S. response to cybersecurity incidents on federal civilian networks.
Peters, chairman of the Homeland Security and Governmental Affairs Committee, in a statement called cyberattacks and ransomware a “serious national security threat.”
“I’m grateful to my colleagues for working together to introduce this bipartisan amendment that will take significant steps to strengthen cybersecurity protections, ensure that CISA is at the forefront of our nation’s response to serious breaches, and most importantly, requires timely reporting of these attacks to the federal government so that we can better prevent future incidents and hold attackers accountable for their crimes,” Peters said.
Portman, ranking member of the same committee, said the federal government must be able to quickly coordinate a response and hold bad actors accountable.
“This bipartisan amendment to significantly update FISMA will provide the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised,” he said.
The amendment comes after Sen. Elizabeth Warren (D-Mass.) and Rep. Deborah Ross (D-N.C.) announced last month a proposed ransomware reporting bill that would require organizations that pay the ransom to disclose that information to the U.S. Department of Homeland Security.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!