Sponsors of two major pieces of legislation that would make formative changes to the way that private sector companies report cyberattacks to the government – and how Federal government agencies conduct their own cyber defenses – are hitching their hopes for passage to annual defense spending legislation that traditionally gets strong bipartisan support from lawmakers.
The sponsors of the cybersecurity bills join a long line of lawmakers trying to include language in the National Defense Authorization Act for Fiscal Year 2022 (NDAA). The list of Senate-proposed amendments to the House version of the NDAA – which the House approved in September – has grown to several hundred.
Not all of the amendments will end up making it into the Senate bill, or through a conference committee that will reconcile differences between the House and Senate versions of the legislation before final votes on the bill. But the amendments that do manage to stick have a great chance of becoming law, as the NDAA is widely considered to be “must-pass” legislation by lawmakers of all stripes.
FISMA, Cyber Incident Reporting Bills
The two big cybersecurity bills – the Cyber Incident Reporting Act and Federal Information Security Modernization Act (FISMA) of 2021 – are contained in an NDAA amendment offered by the sponsors of the bills, Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio, along with Sens. Mark Warner, D-Va., and Susan Collins, R-Maine.
The Cyber Incident Reporting bill was approved by the committee last month, and would require critical infrastructure operators to report cyberattacks to the Federal government, and require most government and business entities to report to the government if they make a ransomware payment. The bill features a 72-hour cyberattack reporting window for critical infrastructure companies that was the subject of much industry lobbying earlier this year.
The FISMA update legislation would overhaul the 2014 version of the law that sets forth cybersecurity requirements for Federal civilian agencies, and put in place numerous new requirements for Federal agencies to manage – and measure the effectiveness – of their security functions.
Among other provisions, the bill would:
- Put the Cybersecurity and Infrastructure Security Agency (CISA) more firmly in the driver’s seat for Federal civilian agency security;
- Wrap the National Cyber Director and the Office of Management and Budget (OMB) more tightly into cybersecurity policy-setting;
- Ensure more timely delivery to key congressional committees of details about major cyberattacks;
- Codify into Federal law some aspects of President Biden’s cybersecurity executive order issued in May; and
- Put into motion penetration testing of Federal civilian networks – a provision that won the endorsement of Federal CISO Chris DeRusha in several of his recent cybersecurity policy speeches.
Timing Concerns
Aside from its eventual content, the biggest question about the Senate NDAA measure is when it will be brought to the Senate floor for debate.
Senate Majority Leader Chuck Schumer, D-N.Y., has taken loud criticism from Republicans and Democrats about not having moved the bill to the floor sooner, but thus far his office has announced no firm timeline for that.
Scuttlebutt among some Senate staffers this week has focused on the Majority Leader’s desire for action on the Build Back Better Act before the NDAA, and the legislative leverage that the need to consider both bills may entail. Chances are the wait won’t be much longer.
