Senate Passes Data Breach Notification Bill

On Tuesday, March 2, the U.S. Senate passed the Strengthening American Cybersecurity Act of 2022 (Act). Introduced less than one month ago by Sens. Gary Peters (D-MI) and Rob Portman (R-OH), the spending bill combines three bills introduced in late 2021—the Cyber Incident Reporting for Critical Infrastructure Act (CIR), the Federal Information Security Modernization Act (FISMA), and the Federal Risk and Authorization Management Program (FedRAMP) Authorization Act (FedRAMPAA).

According to comments made by Senate Homeland Security Chairman Gary Peters (D-Mich.), the Act functions as a direct response to the threat of “retaliatory cyberattacks from the Russian government” that may result from U.S. support of the Ukrainian government. Sen. Portman echoed the sentiment, as did chairman of the Senate Select Committee on Intelligence Senator Mark Warner (D-VA), and Senate Majority Leader Chuck Schumer.

Provisions of the Bill

If signed into law, the bill would instruct the Department of Homeland Security (DOHS), through the Cybersecurity and Infrastructure Security Agency (CISA), to, “enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.” The term “covered entities” has not been clearly defined by the Act. However, the provisions require that this definition be made clear upon issuance of a final rule.

FISMA

According to a key provision of the FISMA component of the Act, a covered entity that experiences, or reasonably believes to be experiencing, a covered cybersecurity incident would be required to report the incident to CISA within 72 hours of the occurrence and within 24 hours if a ransom payment is solicited by the threat actor or paid by the entity as a result of this incident.

FedRAMPAA

Under the FedRAMPAA component, the Act will provide FedRAMP with a framework to ensure a more efficient, consistent, and expedited process for “supporting the secure authorization and reuse of cloud computing products and services within the Federal Government, including by reducing the costs and burdens on both agencies and cloud companies to quickly and securely enter the Federal market.”

CIR

Under the CIR component of the Act, the Coordination of Federal Information Policy (44 USC Ch. 35), will be amended to reflect the use of automation, machine-readable data, and scanning to maintain and assess the written information security plans required of government agencies. These plans must be submitted to the Secretary of the Department of Homeland Security and the National Cyber Director.

Next Steps

For now, the bill will be submitted to the House of Representatives for consideration. If the proposed Act receives no opposition, Sens. Peters and Portman are reportedly going to request that the legislation be passed by unanimous consent so that the Act can be implemented by Tuesday.