Leadership of the Senate Homeland Security and Governmental Affairs Committee has introduced a package bill in the Senate that would update both the Federal Information Security Management Act (FISMA), which sets cybersecurity requirements for Federal agencies, and codify the Federal Risk and Authorization Management Program (FedRAMP) that certifies cloud services as secure to use for Federal government agencies.
The Senate legislative package – dubbed the Strengthening American Cybersecurity Act of 2022 – was offered by Sens. Gary Peters, D-Mich., chairman of the committee, and Sen. Rob Portman, R-Ohio, the committee’s ranking member.
In addition to wrapping in the Senate’s version of legislation to update FISMA and codify FedRAMP – which both appear to enjoy broad bipartisan support in the Senate and track reasonably well with ongoing House legislative efforts on both issues – the new Senate legislative package takes another run at requiring timely cyber incident reporting from private sector critical infrastructure providers.
Legislative efforts to require mandatory cyber incident reporting last year ran into stiff industry opposition, and an attempt to attach an incident reporting measure in December 2021 to the FY 2022 National Defense Authorization Act (NDAA) was not successful.
Sen. Peters Discusses Bill
Sen. Peters talked about the legislative package at a committee hearing this morning to examine the Federal government’s actions to deal with the Apache Log4j software library vulnerability that emerged in December 2021, and said he hoped the package would move forward in the full Senate “very soon.”
Speaking of the Log4J response, Sen. Peters said he was “grateful to the administration for their quick action, and transparency with Congress.” But he said he remained “concerned that we may never know the full scope and impacts of this vulnerability or the risk posed to our networks that the American people rely on each and every day.”
“That is why I’ll continue to monitor and track this latest cybersecurity threat, and work with my colleagues to help ensure the government is receiving timely information about cybersecurity threats, so that we can formulate a comprehensive strategy to fight back against hackers and hold foreign adversaries accountable for targeting our networks,” Sen. Peters said.
“That includes urging the Senate to pass landmark legislation that ranking member Portman and I authored and passed out of this committee to require critical infrastructure companies and civilian Federal agencies to report to the Cybersecurity and Infrastructure Security Agency when they are hit by a substantial cyber attack,” he said.
“Our efforts will also ensure that critical infrastructure owners and operators are reporting ransomware payments,” Sen. Peters continued. “Our government’s top cybersecurity experts would analyze this information and use it to help private sector organizations that provide essential services to the American people protect their networks.”
“This legislation will help our lead cybersecurity agency better understand the scope of attacks including vulnerabilities like log4j, to warn others of the threat prepare for potential impacts, and help affected entities respond and recover,” he said. “And by modernizing the government’s cybersecurity posture, by passing FISMA reforms, we can help prevent online assaults against Federal agencies from foreign and domestic actors who seek to degrade our national and economic security.”
FedRAMP Reform
FedRAMP reform legislation has long been popular in the House, and in particular with House Government Operations Subcommittee Chairman Gerry Connolly, D-Va., sponsor of the FedRAMP Authorization Act approved by the House in January 2021.
“After more than five years of work, and repeated action in the House, we are finally on the cusp on enacting FedRAMP reform,” the congressman said in a statement today following introduction of the Senate legislative package.
“This bipartisan and bicameral cyber package will bring us another step closer to reforming, streamlining, and codifying this critical cybersecurity regime for Federal cloud technologies,” Rep. Connolly said.
The FedRAMP bill approved by the House in 2021 would codify the program, and provide $20 million of annual funding for the program to boost the number of secure cloud technologies authorized for Federal government use.
Rep. Connolly explained last July that his bill would make improvements to the program, and give it the flexibility “to grow and adapt to myriad future changes in cloud technologies.”
“This bill is essential and will demonstrate a universal commitment to FedRAMP and the accelerated adoption of secure cloud computing technologies – a vital component of the broader Federal IT modernization effort,” he said while explaining that the legislation would reduce duplication of security assessments and avoid unnecessary costs by establishing a “presumption of adequacy for cloud technologies that have already received FedRAMP certification.”