Senate-approved cyber legislation containing three distinct components could be passed in whole as a standalone bill in the House or split up and added to other large legislative vehicles that may offer a better chance for quick final passage in each chamber, according to stakeholders.
The “Strengthening American Cybersecurity Act” includes cyber incident reporting legislation and bills to reform the Federal Information Security Modernization Act and codify General Services Administration’s FedRAMP program. SACA was passed in the Senate under unanimous consent on Tuesday.
The incident reporting language would create a mandatory regime for critical infrastructure owners and is a compromise that was worked out between the House and Senate Homeland Security committees last year as a potential amendment to the fiscal 2021 National Defense Authorization Act.
Megan Brown, a partner at the Wiley law firm, said the incident reporting component of SACA “has really moved in a more positive direction. Early drafts and other competing bills were sort of much broader and this has been refined in important ways.”
Brown said, “Some of the FISMA moves are welcome but I’m skeptical of the ability of agencies to handle these things. They are certainly addressing some important needs of the federal government and put CISA at the hub of the wheel for federal civilian agencies.”
Brown said the incident reporting language was drafted to be “more careful and focused in on a narrower group of covered entities, which was really helpful. In other competing bills and at various points, there has been discussion on a much broader application to the private sector and this is more focused on critical infrastructure.”
The House and Senate committees put in effort to “refine and clarify the kinds of incidents DHS needs to be focused on,” Brown said. “They’ve removed some of the ambiguity on what incidents that might be covered to exclude potential incidents, and that’s a step in the right direction.”
She also praised the bill’s provision directing CISA to start a rulemaking process to craft the incident reporting regime rather than going directly to an interim final rule.
One source told Inside Cybersecurity that there’s an opportunity for SACA to go into an omnibus spending bill or the China-focused technology and competition bill, which passed the House in February and is going into the conference process with the Senate.
The source noted that all three bills have counterparts in the House, which could lead to an easier process to get the final legislative package to the finish line.
Concerns raised this week by the FBI and Justice Department over the incident reporting bill spurred criticism from stakeholders who spoke with Inside Cybersecurity. One source said they were “perplexed” that the FBI’s issues were not resolved through the interagency process between the committees and agencies to come to an agreement on the bill.
The FISMA portion of the bill is similar to a standalone bill from House Oversight and Reform leaders, but there are still points of contention over the definition of a “major incident” and the codification of the federal chief information security officer position.
The House bill contains language to codify the Federal CISO role, while the Senate’s SACA does not.
In October, the Office of the National Cyber Director announced new responsibilities for Federal CISO Chris DeRusha, turning his position at the White House into “dual-hat” role as the deputy national cyber director for federal cybersecurity with a specialization on engaging with agencies on “federal policy, strategy and evaluation of agency IT budgets.”
Ross Nodurft of the Alliance for Digital Innovation said, “It would be nice to see codification of the federal CISO as a dual hat with the NCD, but I don’t know if it’s a deal breaker if it is not in there at all. The current structure is working well but it is always helpful to have those authorities spelled out.”
The provision in the bill “bolsters the role of the federal CISO and allows the federal CISO to leverage ties across the interagency by using both the new NCD authorities as well as the OMB authorities,” Nodurft said.
Nodurft is a former chief of the Office of Management and Budget’s cyber team, which is overseen by the federal CISO.
The FISMA and FedRAMP portions of the bill are under the jurisdiction of the House Oversight Committee rather than the Homeland Security panel. Getting incident reporting legislation across the finish line this year is the priority for House Homeland Security leaders.
Nodurft said he is concerned that the FISMA bill doesn’t provide enough resources to accomplish its goals, including the implementation of zero trust across the federal government.
Under OMB’s zero trust strategy, agencies are directed to “internally source funding for funding in FY22 and FY23 to achieve priority goals, or seek funding from alternative sources, such as working capital funds or the Technology Modernization Fund.” Agencies must provide a budget estimate to get additional funds for zero trust implementation in fiscal 2024.
On FedRAMP, Nodurft said, “My understanding is that the House and Senate are generally in agreement” with the language in SACA to codify the program. -- Sara Friedman (firstname.lastname@example.org)