Spurred on by Russia, Senate bill carries slew of cyber requirements for agencies, industry

New cybersecurity requirements and standards for agencies, contractors and critical infrastructure operators were cleared by the Senate this week after Russia’s invasion of Ukraine sparked concerns about widespread cyber attacks.

The Senate unanimously passed the Strengthening American Cybersecurity Act on Tuesday, just prior to President Joe Biden’s State of the Union address. While lawmakers have been considering a version of the legislation for nearly a year, lawmakers highlighted Russian President Vladimir Putin’s decision to attack...

READ MORE

New cybersecurity requirements and standards for agencies, contractors and critical infrastructure operators were cleared by the Senate this week after Russia’s invasion of Ukraine sparked concerns about widespread cyber attacks.

The Senate unanimously passed the Strengthening American Cybersecurity Act on Tuesday, just prior to President Joe Biden’s State of the Union address. While lawmakers have been considering a version of the legislation for nearly a year, lawmakers highlighted Russian President Vladimir Putin’s decision to attack Ukraine as a potential tipping point.

“Cyber warfare is truly one of the dark arts specialized by Putin and his authoritarian regime, and this bill will help protect us from Putin’s attempted cyber attacks against our country,” Senate Majority Leader Chuck Schumer (D-N.Y.) said on the Senate floor.

The bill contains three separate pieces of legislation. One would require critical infrastructure operators to report cyber attacks to the Cybersecurity and Infrastructure Security Agency within 72 hours.

The bill also includes the Federal Information Modernization Act of 2022. The bill would modernize federal cyber standards and put CISA in a more central role in overseeing and managing federal cybersecurity

The third piece is the “‘Federal Secure Cloud Improvement and Jobs Act of 2022.” It would put a legislative framework around the FedRAMP cloud program, which is run by the General Services Administration and authorizes cloud service providers for the government use.

The legislation now needs to be passed by the House, where similar legislation has already garnered bipartisan support.

Cyber incident reporting

The most high profile section of the legislation is cyber incident reporting. In addition to critical infrastructure operators, the bill would require agencies to report cyber attacks to CISA within 72 hours. It would also require federal contractors to report cyber attacks to their awarding agency within the same time frame.

Congress nearly included similar requirements in last year’s Defense authorization bill before they were left out of the final version of the legislation.

The House Homeland Security Committee passed the incident reporting legislation last year. The effort was led by Homeland Security Cybersecurity and Infrastructure Protection Subcommittee Chairwoman Yvette Clarke (D-N.Y.) and Ranking Member John Katko (R-N.Y.).

In a statement, Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and Ranking Member Rob Portman (R-Ohio) said they are working closely with House lawmakers to get the incident reporting requirements and other elements of the bill to President Joe Biden’s desk.

FISMA modernization

For agencies, the most consequential part of the legislation may be FISMA modernization. The provisions would elevate the role CISA plays in federal cybersecurity, while increasing Congressional oversight of key cyber initiatives.

The bill would require agency progress reports on implementing zero trust security. The White House recently released a multi-year zero trust strategy with goals and milestones for agencies.

The bill would also push agencies to increase “the use of automation to improve federal cybersecurity and visibility” as well as “the use of presumption of compromise and least privilege principles to improve resiliency and timely response actions to incidents on Federal systems.”

It would reduce FISMA reporting requirements by shifting independent assessments for each civilian executive branch agency to once every two years. FISMA assessments are currently conducted annually by agency inspectors general or external auditors.

Agencies would be required to inventory their internet-accessible information systems and assets. CISA would perform risk assessments of agencies “on an ongoing and continuous basis,” using information such as vulnerability remediation efforts, incident analysis, vulnerability disclosure programs, threat hunting results, cyber threat intelligence, and other techniques.

The bill would also require OMB, CISA and the National Cyber Director to develop a “risk-based budget model” for cybersecurity. Such a model would work by “identifying and prioritizing cybersecurity risks and vulnerabilities, including impact on agency operations in the case of a cyber attack, through analysis of cyber threat intelligence, incident data, and tactics, techniques, procedures, and capabilities of cyber threats.”

Matthew McFadden, vice president of cyber at General Dynamics Information Technology, said the FISMA bill should help provide important metrics of success as agencies move toward the new zero trust concept.

“I think this will allow agencies to implement zero trust architecture, but more importantly, provide some oversight in understanding agency progress towards that goal,” McFadden said. “What they need to do from a reporting perspective, what the standards would be for things like logging, and then actually developing metrics to help support those goals.”

The House Committee on Oversight and Government Reform Committee already passed a nearly identical FISMA bill last month.

One key difference is the House committee’s bill would codify the federal chief information security officer’s role into law, while the Senate bill contains no such provision.

Chairwoman Carolyn Maloney (D-N.Y.) said she’s committed to ironing out the differences and getting the bill across the finish line in the House.

“FISMA reform will determine our federal cybersecurity posture for years to come, and it is essential that the final bill seizes every opportunity to defend our federal networks from the onslaught of attacks they face daily,” she said. “Chairman Peters and I are jointly committed to this goal, and we are certain we’ll succeed in getting this bill to the President’s desk soon.”

FedRAMP authorization

The bill would also authorize the Federal Risk Management and Authorization Management (FedRAMP) program for five years. Since 2011, the General Services Administration has used FedRAMP to ensure agencies are using secure cloud products and services.

The House passed a similar measure last January, sponsored by Reps. Gerry Connolly (D-Va.), James Comer (R-K.Y.) and Jody Hice (R-Ga.).

Biden’s executive order on cybersecurity, the new zero trust strategy and other federal initiatives have only bolstered the push in recent years to increase the use of cloud across agencies.

“We’re going to see an increase of more and more cloud providers as folks want to move their services into FedRAMP,” McFadden said. “And then you’re going to see an even greater increase of those authorizations across agencies. So consequently, we need to be able to make investments to support that.”

The bill cites some key data from GSA. As of last fall, there were 239 cloud providers with FedRAMP authorizations, with those authorizations having been reused more than 2,700 times across various agencies.

But a 2019 Government Accountability Office report found agencies didn’t always use FedRAMP, while the Office of Management and Budget did not monitor the program.

The new legislation would have OMB provide annual reports to Congress on the use of the FedRAMP program, while GAO would be tasked with doing a new audit of the program within 180 days.

Industry is also pushing to streamline the FedRAMP process to get authorizations through more easily. They also want to increase reciprocity, where one agency accepts a cloud security authorization that was granted for another.

The legislation would create a Federal Secure Cloud Advisory Committee “to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities.”

The committee would include 15 members and have either the GSA administrator or a representative serve as chairman. It would also include five members from the cloud industry, including at least two from a small business.

The committee would provide advice and recommendations to GSA and the FedRAMP board “on technical, financial, programmatic, and operational matters regarding secure adoption of cloud computing products and services,” according to the bill.

Related Stories

    Amelia Brust/Federal News Network

    Congress wants to overhaul FISMA. Agencies are already measuring security differently

    Read more
    (Getty Images/iStockphoto/monsitj)defocus dots and lines connection on abstract technology background.

    New FISMA guidance strikes familiar cyber tune, but can OMB change out the instruments?

    Read more
    Chairman Sen. Gary Peters, D-Mich., speaks during a Senate Governmental Affairs Committee hybrid nominations hearing on Capitol Hill in Washington, Thursday, April 22, 2021, to consider the nominees for Postal Service Governors Anton Hajjar, Amber McReynolds, and Ronald Stroman, along with Kiran Ahuja, the nominee to be Office of Personnel Management Director. (AP Photo/Andrew Harnik)

    Senate lawmakers introduce FISMA reforms, including cyber incident reporting for agencies, contractors

    Read more