The Senate Committee on Public Safety and Public Affairs has enacted legislation that seeks to reform the way federal agencies and government contractors report cybercrime and security measures to protect them.
The committee on Wednesday overturned the Federal Information Security Modernization Act of 2021 and a controversial bill authorizing private companies’ reports of cyber incidents and ransom payments.
Among other things, the first renewal of FISMA in seven years could cost the director of the Office of Administration and Budget, in conjunction with the National Cyber Director and director of the Cybersecurity and Infrastructure Security Agency, to redefine the term “major event” for reporting to CISA and Congress agencies.
The attack on government contractor SolarWinds has made the issue clear. Some stakeholders – such as Commerce – considered the incident to be “serious” and reported it correctly, while others – such as Health and Human Services – did not.
The law specifically directs the OMB director to include in that definition, “any incident the head of the agency decides may have an impact on national security, national security, or economic security in the United States.” The current framework for reporting cyber incidents, both in the public and private sectors, is largely focused on the creation of a certain amount of personal identification information, which was not as important to SolarWinds or other recent hacks as the ransomware of the Colonial Pipeline. Agencies will be required to report to a conference with administrative leaders such as CISA and OMB directors on events they determine to be “major” within 72 hours, with subsequent reports on how and other information has been provided. The OMB will be required to provide guidance on matters to prevent resolution from contractors.
The new FISMA will also need OMB and CISA directors and the National Director of Standards and others from the National Institute of Standards and Technology to create and implement a model of frameworks that create a cyber-based budget, providing a cyber advisor from CISA to the Chief Information Officer -Each agency, expand the Federal Acquisition Security Council until the end of 2026, and establish a driving system in which CISA provides agencies with a security operation center as a service.
Prior to passing the private sector reporting bill, the committee included two amendments from incumbent Rob Portman, R-Ohio, who supported it and committee chairman Gary Peters, D-Mich.
The first amendment will ensure that any information companies participating in incident reports cannot be used in any courts or regulatory agency.
“The Chamber of Commerce supports this law. Another reason they support this law is that they believe we will handle the debt issue well, ”said Portman, proposing the amendment. “I know this issue has been controversial, and I want to thank Chairman Peters for working with us to try to achieve something, too, that fulfills the expectations of the business community.”
Portman’s second amendment will exempt some small businesses from reporting on the ransom paid they make, something Peter suggested could be reviewed in an effort to incorporate legislation into the next Defense Authorization Act. Peters voted for the amendment after he began opposing it “in a spirit of progress.”
“We know that there are issues raised in this language in this law, but today’s action, is the first step, and it can be hoped that it will be another step, which will be part of the National Defense Authorization for the whole country. security in this case, ”said Peters after a break outside the camera before voting. “You have my commitment as chairman, you are committed to a member who is at a level that you can work with members on both sides to deal with any issues, so that we have a good product that fits the great risks we face.”
Another game is still being played as legislators are considering incorporating NDAA events reporting legislation from the Senate. Mark Warner, D-Va. Warner’s bill, unlike the Peters-Portman bill and the same effort already included in the House-passed NDAA, will use fines to enforce corporate reporting. While industry representatives opposed the use of fines, senior cyber management officials, including CISA Director Jen Easterly, Chief of Defense Staff Chris De Rusha and National Cyber Director Chris Inglis all expressed support for that aspect of Warner’s approach.
A spokesman for his office told Nextgov: “Senator Warner remains committed to a solution that requires infrastructure owners and operators to report cyber attacks in a timely manner, and looks forward to working with colleagues to achieve that goal.”