March 03, 2022
Washington, D.C.—U.S. Senators Susan Collins (R-ME) and Angus King (I-ME), both members of the Senate Intelligence Committee, touted the Senate’s unanimous passage of a landmark cybersecurity legislative package they co-sponsored, which would significantly enhance our nation’s ability to combat ongoing cybersecurity threats against our critical infrastructure and the federal government. The legislation, which was co-authored by Senators Gary Peters (D-MI) and Rob Portman (R-OH), combines language from three bills: the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act.
The combined bill, known as the Strengthening American Cybersecurity Act, would require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyberattack within 72 hours. It would also require critical infrastructure owners and operators to report ransomware payments to CISA, modernize the government’s cybersecurity posture, and authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations, security, and efficiency.
“The possibility of retaliation by the Russian government for U.S. support for Ukraine reflects the urgent need to more effectively address cyberattacks against the U.S. government and critical infrastructure,” said Senator Collins. “Having a clear, shared understanding of the dangers the nation faces from cyberattacks is essential to protecting critical infrastructure in the public and private sector. The country would be safer had the Senate passed a bill I introduced in 2012 that would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector. Nevertheless, now that the Senate has taken action, the House should act as quickly as possible so President Biden can sign this bill into law and enact a robust cyber incident notification requirement that would safeguard sensitive information, prevent the theft of intellectual property, and protect critical infrastructure from our adversaries.”
“As global tensions rise and cyber threats escalate, the United States remains dangerously vulnerable to a cyberattack on our critical infrastructure,” said Senator King, co-chair of the Cyberspace Solarium Commission. “Over the last few years, we’ve seen how critical pieces of society have been compromised or degraded, from gas pipelines and supply chains to businesses and local government operations. Now, as Russia continues to attack Ukraine and threaten all who oppose its unprovoked invasion, this threat is more real than ever. This bill includes a number of essential priorities that will help the U.S strengthen our cyber resilience, defend our critical infrastructure, and give our cyber authorities the tools they need to protect our nation before disaster strikes. I’m grateful that my Senate colleagues unanimously recognized the urgency of this legislation and hope the House will pass it with expediency.”
Last year, hackers breached the network of a major oil pipeline forcing the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortages for communities across the East Coast. Last summer, the world’s largest beef supplier was hit by a cyberattack, prompting shutdowns at company plants and threatening meat supplies all across the nation. As these kinds of attacks continue to rise, this legislation will help ensure critical infrastructure entities such as banks, electric grids, water networks, and transportation systems are able to quickly recover and provide essential services to the American people in the event of network breaches.
The Strengthening American Cybersecurity Act would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyberattack, and within 24 hours if they make a ransomware payment. Additionally, the package would update current federal government cybersecurity laws to improve coordination between federal agencies, require the government to take a risk-based approach to cybersecurity, as well as require all civilian agencies to report all cyberattacks to CISA, and update the threshold for agencies to report cyber incidents to Congress. It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks. Finally, the package would authorize FedRAMP for five years to ensure federal agencies are able to quickly and securely adopt cloud-based technologies that improve government efficiency and save taxpayer dollars.