As the Senate returns to work on Nov. 29 with the completion of debate on the Fiscal Year (FY) 2022 National Defense Authorization Act (NDAA) at the top of its agenda, lawmakers will be looking to tack on a host of cybersecurity-related amendments to the defense spending bill.
Included among those amendments are potential reforms to the Federal Information Security Modernization Act (FISMA), a bill that would codify the authorities of National Cyber Director Chris Inglis, and a cybersecurity incident reporting bill, among other tech amendments.
Here’s a rundown of some of the top cybersecurity and IT amendments to watch for as the NDAA makes its way to the finish line.
Despite not being included in Sen. Jack Reed’s, D-R.I., amendment in the nature of a substitute, Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, are looking to add FISMA reform to the NDAA via S.Amdt. 4799.
The amendment would amend FISMA, passed in 2014, to account for the changes in the cybersecurity landscape since then, like the creation of the Cybersecurity and Infrastructure Security Agency (CISA) and the position of National Cyber Director. The FISMA reform bill would:
- Put CISA more firmly in the driver’s seat for Federal civilian agency security;
- Wrap the National Cyber Director and the Office of Management and Budget (OMB) more tightly into cybersecurity policy-setting;
- Ensure more timely delivery to key congressional committees of details about major cyberattacks;
- Codify into Federal law some aspects of President Biden’s cybersecurity executive order issued in May; and
- Put into motion penetration testing of Federal civilian networks.
The amendment also includes a cyber incident reporting requirement and a ransomware vulnerability pilot program.
Defense of United States Infrastructure Act
An amendment proposed by Sen. Angus King, I-Maine, would accomplish similar aims to as a few tech amendments added to the House version of the NDAA, such as establishing a five-year term limit for the director of CISA.
The amendment would also codify hiring authorities for the Office of the National Cyber Director and create a cyber threat information collaboration environment.
The cyber threat information collaboration environment would need to be set up within 180 days of enactment by the CISA director, Director of National Intelligence, Secretary of Defense, and Attorney General. The bill would also authorize an annual report on the effectiveness of the program.
Cyber Incident Reporting
Another amendment that looks to boost the nation’s cybersecurity is a cyber incident reporting bill proposed by Sen. Rick Scott, R-Fla.
Federal agencies tasked with oversight of cybersecurity incidents, like CISA and the FBI, say it’s difficult to determine whether the rate of cyberattacks is changing because only around one-quarter of attacks are reported.
Both agency officials and lawmakers have turned to work on mandatory incident reporting laws to help rectify that issue, and the amendment from Sen. Scott would require any Federal contractor, as well as any owner or operator of critical infrastructure (CI), to report any cyber incidents within 72 hours to the director of CISA. The bill would also require those entities to report within 24 hours if they decide to make a ransomware payment.
Other Amendments to Watch
Beyond those three bills, here’s a list of other cyber or tech-related amendments to keep an eye on as the Senate looks to finalize the defense spending bill.
- Amdt.4273 and 4802: The Cybersecurity Opportunity Act proposed by Sen. Jon Ossoff, D-Ga., to create a grant program for Historically Black Colleges and Universities (HBCUs) and Minority Serving Institutions (MSIs).
- Amdt.4241: Sen. Bob Menendez, D-N.J., proposed an amendment to Combat International Cybercrime. The amendment would create a registry of state sponsors of international cybercrime and authorize the imposition of sanctions following major incidents.
- Amdt.4228: Proposed by Sen. James Risch, R-Idaho, the amendment would create a Federal and State Technology Partnership Program.
- Amdt.4253: Sen. Diane Feinstein, D-Calif., proposed an amendment that would create a Space Technology Advisory Committee.
- Amdt.4254: Sen. Maggie Hassan, D-N.H., proposed an amendment that would allow the Secretary of Defense to establish public-private partnerships “focused on private sector entities working on quantum information sciences and technology research applications,” with up to 10 program participants.
- Amdt.4255: Sen. Hassan also submitted an amendment that would give CISA the authority to provide support and services for critical infrastructure providers.
- Amdt.3897: Sen. Debbie Stabenow, D-Mich., proposed an amendment that would authorize the creation of the Supply Chain Risk Assessment Framework for the Department of Defense.
These represent just a few of the amendments filed for the FY2022 NDAA. Senators have until 3:30 p.m. on Nov. 29 to file first-degree amendments to the bill and until an hour before the cloture vote to file any second-degree amendments.