Access Alert | US Congress Makes Significant Progress on Cybersecurity Legislation

In May 2022, the United States Congress made major progress on cybersecurity legislation – particularly with regards to interagency coordination and digital upskilling. The push for greater public sector cyber capabilities and resiliency is set against the backdrop of security woes tied to the ongoing conflict in Ukraine, the discovery of the major Log4j vulnerability, an uptick in ransomware attacks that may have cost businesses upwards of  $2 billion since 2019, and other factors that have prompted Congress to pass laws to protect federal assets and critical infrastructure.

The federal government has already taken several steps towards bolstering American cybersecurity capabilities in 2022. Going into the new year, the 2022 National Defense Authorization Act established initiatives like the CyberSentry program to help critical infrastructure operators detect cyber-attacks, and last November’s trillion-dollar Infrastructure Investment and Jobs Act spending package included nearly $2 billion in cybersecurity funds.

After some delay, Congress also approved the Consolidated Appropriations Act, 2022 on March 15. This omnibus spending legislation featured a $2.59 billion budget for the Cybersecurity and Infrastructure Security Agency (CISA) – $460 million more than the Biden administration had requested – as well as a cyber incident reporting mandate requiring entities in the critical infrastructure sector to report cyber incidents to CISA within 72 hours or 24 hours if they experience a ransomware attack.

The following bills have either been signed into law or have progressed significantly in Congress so far this May:

• S.2629 Better Cybercrime Metrics Act, signed into law on May 5, requires several government agencies to improve their collection of data related to cybercrimes, including the Justice Department’s Bureau of Justice Statistics and the Government Accountability Office (GAO).
• S.2201 Supply Chain Security Training Act of 2021 passed the House of Representatives on May 10 and awaits President Biden’s signature. The bill requires the General Services Administration (GSA), Department of Homeland Security (DHS), Department of Defense (DOD), and the Office of Management and Budget (OMB) to create a supply chain security training program for federal officials in charge of supply chain risk management. The program will include identifying and mitigating security risks associated with the acquisition of information and communications technology.
• S.1097 Federal Rotational Cyber Workforce Program Act also passed the House of Representatives on May 10 and awaits the president’s signature. The pending law establishes a rotational cyber workforce program in which certain cyber-trained federal employees may be detailed among various agencies.
• S.658 National Cybersecurity Preparedness Consortium Act of 2021 was enacted on May 12. This law allows DHS to work with one or more consortia composed of nonprofit entities to develop, update, and deliver cybersecurity training in support of the agency’s functions.
• H.R.847 Promoting Digital Privacy Technologies Act passed in the House of Representatives on May 12 and is currently under consideration in the Senate. The bill directs the National Science Foundation (NSF) to support research into privacy enhancing technologies (PETs).
• H.R.5658 DHS Roles and Responsibilities in Cyber Space Act passed the House on May 17 and is also under consideration in the Senate. The bill would require DHS, in coordination with CISA, to report on its roles and responsibilities for responding to cyber incidents.
• S.2520 State and Local Government Cybersecurity Act of 2021 passed the House on May 17 and awaits President Biden’s signature. The legislation provides for collaboration between DHS and state, local, tribal, and territorial authorities to bolster their cybersecurity capabilities through grants, cooperative agreements, and other forms of partnerships such as education campaigns. To facilitate this, the bill requires the National Cybersecurity and Communications Integration Center to coordinate between the federal agency and local governments.

Lastly, House and Senate leadership are still in conference committee to negotiate what will be included in the final text of the long-awaited America COMPETES Act. This legislation, originally conceived in the Senate in April 2021 as the United States Innovation and Competition Act (USICA), is notable for proposing more than $50 billion in funding for the domestic semiconductor industry. The House version of the bill also contains significant measures related to cybersecurity, including the creation of programs such as an ROTC-style “CyberCorps” scholarship for the federal cybersecurity workforce; the “Critical Technology Security Centers” to evaluate and test the security of technologies essential to national critical functions; and international capacity-building programs to improve cybersecurity both in the US and among its allies. These provisions are subject to changes or outright deletion during the ongoing conference committee. Current estimates suggest that negotiations may continue as late as July before a final version of the text is agreed upon.

Access Partnership is closely monitoring these legislative processes and provides comprehensive analysis to our partners and clients on how they affect their business. For more information on US cybersecurity legislation, please contact Jacob Hafey at [email protected], Erik Jacobs [email protected] or Christopher Martin [email protected].

Subscribe to our news alerts here.