Sens. Gary Peters, D-Mich., Rob Portman, R-Ohio, Mark Warner, D-Va., and Susan Collins, R-Maine, have proposed an amendment to the annual defense authorization bill that would require owners and operators of critical infrastructure and federal civilian agencies to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
The bipartisan provision would direct state and local governments, businesses and other organizations to inform the federal government within 24 hours if they pay a ransom following a cyber incident, update existing federal cybersecurity laws to enhance coordination between agencies and impel the government to implement a risk-based security approach, the Senate Homeland Security and Governmental Affairs Committee said Thursday.
The proposed language in the fiscal year 2022 National Defense Authorization Act (NDAA) would update the Federal Information Security Modernization Act (FISMA) and provide CISA additional authorities to lead efforts when it comes to overseeing the response to cyber incidents involving networks of federal civilian agencies.
“This bipartisan amendment to significantly update FISMA will provide the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised,” said Portman.