U.S. Senate Sends Cybersecurity Omnibus Package To House

FTC settles with Weight Watchers over COPPA violations; U.S. tightens its buy domestic requirements

The Wavelength is now a subscription newsletter, so if you want access to all the content, subscribe today. And, it bears mention that content on technology policy, politics, and law that preceded the Wavelength can be found on my blog.

Photo by Krzysztof Kowalik on Unsplash

Last week, by unanimous consent, the United States (U.S.) Senate passed a sprawling package that aims to remedy and rectify U.S. government and private sector cybersecurity. While most of the bill focuses on the new standards for cybersecurity and information security U.S. government agencies would need to meet, the inclusion of cyber incident and ransomware reporting legislation bears directly on many private sector entities. The U.S. House has passed companion legislation on the same issues in discrete parts, but the timeline for action in that chamber is unclear and probably hinges on final agreement between the stakeholders in Congress and the Biden Administration. However, there are rumblings that some Republicans and, if I had to speculate, many industry stakeholders, notably companies contracting with the federal government, are opposed to many of the reforms of U.S. government cybersecurity on the grounds they unfairly and needlessly burden businesses and harm innovation.

In passing its omnibus bill, the Senate acted under the specter of a massive Russian cyber attack on Ukraine and western supporters that most stakeholders feared. As Senate Majority Leader Chuck Schumer (D-NY) said at the beginning of debate:

As the war in Ukraine goes on and as Putin mounts his illegal, immoral, and unprovoked attack, he is escalating cyber attacks on democracies around the world. So, as the need to protect this country from cyber attack is always very, very, very important, it has assumed even greater importance now with Putin's fighting in Ukraine and threatening cyber attacks throughout the world.

The “Strengthening American Cybersecurity Act of 2022” (S.3600) combines revised versions of the Senate’s Federal Information Security Modernization Act (FISMA) reform, cyber incident reform legislation, and a codification of the Federal Risk and Authorization Management Program (FedRAMP). As noted, this bill was moved by unanimous consent, the least contentious manner in which to pass legislation in the body, which signals wide support.

The House’s bill, the “Federal Information Security Modernization Act of 2022” (H.R.6497), does not have a cyber incident reporting bill or a FedRAMP authorization. It is, however, very similar to the Senate’s FISMA revamp. Having said all that, the House passed bills last year very similar to the two other pieces of S.3600. The “Cyber Incident Reporting for Critical Infrastructure Act of 2021” (H.R.5440) was added to the “FY 2022 National Defense Authorization Act” (NDAA) (P.L. 117-81) (H.R.4350) but was not part of the final FY 2022 NDAA (see here for more on why a cyber incident reporting bill was left out). Additionally, the “FedRAMP Authorization Act” (H.R.21) was one of the first bills the House sent the Senate at the beginning of the current Congress. However, this post will not address the FedRAMP portion of S.3600 or the House’s standalone bill.