As The Washington Post reports, the Senate Homeland Security Committee recently held a hearing on two upcoming cyber bills. One piece of draft legislation would require operators of critical infrastructure to report data breaches to the Cybersecurity and Infrastructure Agency. The committee is also at work on redrafting the Federal Information Security Management Act, last updated in 2014, which sets the federal government’s cybersecurity rules.
CISA director Jen Easterly told lawmakers she is a “huge supporter” of the proposed legislation that would mandate cyberattack disclosure by government contractors, federal agencies and certain private companies, as Bloomberg reports. Chris Inglis, the U.S. national cyber director, said such notifications would be “profoundly useful.”
Both Easterly and Inglis endorsed fining companies if they don’t report data breaches. “Most of the 50 states have reporting requirements of a similar sort, and the vast majority of them have enforcement mechanisms, and many use fines,” Inglis said, as quoted by Government Technology
As Utility Dive sums up, Easterly called for the bill to codify CSO’s role as the operational lead in federal cybersecurity. Easterly also urged lawmakers to shift to operational risk management from mere compliance-list-checking. And she pressed for a national notification law so CISA can share information promptly.
Easterly said the legislation must be designed to avoid unnecessarily weighing down businesses or CISA. “We don’t want to be flooded with reports saying, ‘We detected something; we’re not sure whether there’s actual impact or not.’ We need to make sure there’s determined impact,” Easterly said. “What we don’t want is to have CISA overburdened with erroneous reporting, and we don’t want to burden a company under duress when they’re trying to manage a live incident.”
The committee’s chair, Sen. Gary Peters (D-Mich.), reportedly plans to formally introduce a cyberattack disclosure bill in the weeks ahead. “We need to pass updated legislation clarifying CISA’s role and responsibilities, improve how incidents on federal networks are being reported to Congress and ensure our own cybersecurity resources are aligned with emerging threats,” Peters said, as quoted by Tech Target.