Led by Russia, Senate bill includes slew of cybersecurity requirements for agencies and industry

New cybersecurity requirements and standards for agencies, contractors and critical infrastructure operators were approved by the Senate this week after Russia’s invasion of Ukraine sparked concerns about widespread cyberattacks .

The Senate unanimously passed US Cybersecurity Enhancement Act Tuesday, just before President Joe Biden’s State of the Union address. While lawmakers have been considering a version of the legislation for nearly a year, lawmakers have pointed to Russian President Vladimir Putin’s decision to attack Ukraine as a potential tipping point.

“Cyber ​​warfare is truly one of the dark arts that Putin and his authoritarian regime have specialized in, and this bill will help protect us from Putin’s attempted cyberattacks against our country,” the Senate Majority Leader said. Chuck Schumer (DN.Y.) in the Senate. ground.

The bill contains three separate pieces of legislation. One would require critical infrastructure operators to report cyberattacks to the Cybersecurity and Infrastructure Security Agency within 72 hours.

The bill also includes the Federal Information Modernization Act of 2022. The bill would modernize federal cybersecurity standards and place CISA in a more central role in overseeing and managing federal cybersecurity.

The third item is the “Federal Secure Cloud Improvement and Use Act of 2022”. This would put a legislative framework around the FedRAMP cloud program, which is run by the General Services Administration and licenses cloud service providers for government use.

The legislation must now pass the House, where similar legislation has already garnered bipartisan support.

Cyber ​​Incident Reporting

The most publicized section of the legislation is the reporting of cyber incidents. In addition to critical infrastructure operators, the bill would require agencies to report cyberattacks to CISA within 72 hours. It would also require federal contractors to report cyberattacks to their contracting agency within the same time frame.

Congress nearly included similar requirements in last year’s Defense Authorization Bill before they were left out of the final version of the legislation.

The House Homeland Security Committee passed the incident reporting legislation last year. The effort was led by Homeland Security Cybersecurity and Infrastructure Protection Subcommittee Chair Yvette Clarke (DN.Y.) and Ranking Member John Katko (RN.Y.).

In a statement, Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and Ranking Member Rob Portman (R-Ohio) said they were working closely with lawmakers. of the House to obtain the incident reporting requirements and other elements of the bill. at the office of President Joe Biden.

FISMA modernization

For agencies, the most consequential part of the legislation may be the modernization of FISMA. The provisions would strengthen CISA’s role in federal cybersecurity, while increasing congressional oversight of major cyber initiatives.

The bill would require progress reports from agencies on the implementation of zero-trust security. The White House recently released a multi-year zero trust strategy with goals and milestones for agencies.

The bill would also push agencies to increase “the use of automation to improve federal cybersecurity and visibility” as well as “the use of the presumption of compromise and the principles of least privilege to improve resilience and timely response actions to incidents on federal systems”.

This would reduce FISMA reporting requirements by moving independent assessments for each civilian executive branch agency to once every two years. FISMA assessments are currently carried out annually by the agency’s inspectors general or external auditors.

Agencies would be required to inventory their information systems and Internet-accessible assets. CISA would perform agency risk assessments “on an on-going and continuing basis,” using information such as vulnerability remediation efforts, incident analysis, vulnerability disclosure programs, threats, cyber threat intelligence and other techniques.

The bill would also require the OMB, CISA and the National Director of Cybersecurity to develop a “risk-based budget model” for cybersecurity. Such a model would work by “identifying and prioritizing cybersecurity risks and vulnerabilities, including the impact on agency operations in the event of a cyber attack, through the analysis of cyber threat intelligence, data on incidents and cyber threat tactics, techniques, procedures and capabilities”. .”

Matthew McFadden, vice president of cyber at General Dynamics Information Technology, said the FISMA bill should help provide important measures of success as agencies move toward the new concept of zero trust.

“I think this will allow agencies to implement a zero-trust architecture, but more importantly, provide some oversight to understand the agency’s progress toward that goal,” McFadden said. “What they need to do from a reporting perspective, what would be the standards for things like logging, and then develop metrics to help achieve those goals.”

The House Committee on Oversight and Government Reform already passed a nearly identical FISMA bill last month.

A key difference is that the House committee bill would codify the role of the federal information security officer into law, while the Senate bill contains no such provision.

Speaker Carolyn Maloney (DN.Y.) said she was committed to ironing out differences and getting the bill across the finish line in the House.

“FISMA reform will determine our federal position on cybersecurity for years to come, and it is essential that the final bill seize every opportunity to defend our federal networks against the onslaught of attacks they face daily,” she said. “Speaker Peters and I are jointly committed to achieving this goal, and we are confident that we will soon be successful in getting this bill to the President’s desk.”

FedRAMP Authorization

The bill would also authorize the Federal Risk and Authorization Management Program (FedRAMP) for five years. Since 2011, the General Services Administration has used FedRAMP to ensure agencies use secure cloud products and services.

The House passed a similar measure last January, sponsored by Reps. Gerry Connolly (D-Va.), James Comer (RK.Y.) and Jody Hice (R-Ga.).

Biden’s cybersecurity executive order, new zero-trust strategy, and other federal initiatives have only added pressure in recent years to increase cloud usage across all agencies.

“We’re going to see an increase in more and more cloud providers as people want to move their services into FedRAMP,” McFadden said. “And then you’re going to see an even bigger increase in those clearances across all agencies. Therefore, we need to be able to make investments to support that.

The bill cites some key data from the GSA. As of last fall, there were 239 cloud providers with FedRAMP authorizations, with those authorizations having been reused more than 2,700 times across various agencies.

But a 2019 Government Accountability Office report found that agencies were not always using FedRAMP, while the Office of Management and Budget was not monitoring the program.

The new legislation would require the OMB to provide annual reports to Congress on the use of the FedRAMP program, while the GAO would be responsible for re-auditing the program within 180 days.

The industry is also pushing to streamline the FedRAMP process to make it easier to get approvals. They also want to increase reciprocity, where one agency accepts a cloud security authorization that has been granted to another.

The legislation would create a Federal Secure Cloud Advisory Committee “to ensure effective and ongoing coordination of the adoption, use, authorization, monitoring, acquisition and security of products and services of cloud computing by the agency in order to enable the agency’s mission and administrative priorities”.

The committee would consist of 15 members and would be chaired by the GSA administrator or a representative. It would also include five members from the cloud industry, including at least two from a small business.

The committee would provide advice and recommendations to the GSA and the FedRAMP Board “on technical, financial, programmatic, and operational matters regarding the secure adoption of cloud computing products and services,” according to the bill.

Norman D. Briggs