Congress and Cybersecurity Legislation: Potential MSSP Implications Explained
From the outside, it looks as though a slew of proposed cybersecurity-centric legislation bottled up in the previous Congress is now stalled in this session as well. But dive a little deeper and it looks quite a bit different and remarkably productive, a new report from the Cyber Policy Institute suggests.
Indeed, some 80 bills have been introduced or passed by the 117th Congress in the first year of its session dating back to January, 2021, dwarfing the few that made it through the Senate in the prior administration. The new measures cross a number of areas, including defense, business, foreign relations, workforce and disaster preparedness.
Many carry important implications for managed security service providers (MSSPs) — especially in terms of how MSSPs document and/or disclose cybersecurity incidents, and the potential timing requirements of such disclosures.
Of note, some 77 cybersecurity articles were included in the $740 billion fiscal 2021 National Defense Authorization Act (NDAA), 27 of which were directly drawn from 25 recommendations of the Cyberspace Solarium Commission and the remainder developed by Congressional committees. Chief among those was creating the national cyber director at the White House (Chris Inglis) and strengthening the Department of Homeland Security’s cyber wing, the Cybersecurity and Infrastructure Security Agency (CISA). That bill passed over the veto of then President Trump.
Last December, President Biden signed into law the 2022 NDAA that includes an amendment to require critical infrastructure owners and operators and civil federal agencies to report to CISA within 72 hours if they are hit by a cyber attack. The bill includes 14 provisions related to IT security, 13 to cyberspace, 12 to federal cybersecurity and eight to supply chain security, among others.
According to figures compiled by the Institute’s newly released review, entitled Cybersecurity Bills and the 117th Congress, the following has occurred with those 80 bills:
- 5 have passed both houses of Congress and been signed into law by President Biden.
- 10 have passed one or both houses of Congress.
- 32 remain in committee.
The measures cover a wide range of subjects, including:
- National security and defense.
- Protecting intellectual property.
- Protecting American business.
- Defending American critical infrastructure.
- Developing cybersecurity skills in people both inside and outside the government.
- Protecting children’s welfare.
- Protecting Americans’ privacy.
More Recent Cybersecurity Legislation Developments
Here are some recent cybersecurity-centric legislative moves:
In July, 2021, the House Energy and Commerce Committee passed eight bipartisan telecom-centric cybersecurity bills intended to help protect small telecom providers, small businesses and the public from cyberattacks, hackers and malware. And the Department of Homeland Security’s (DHS) Transportation Security Administration (TSA) that requires owners and operators of critical infrastructure pipelines to implement specific mitigations to protect against ransomware attacks.
That same month, the House passed a package of five bipartisan bills that would support state and local governments’ cybersecurity needs, expand incident remediation capabilities and fortify critical infrastructure cyber defenses.
In November, 2021, the House passed two Small Business Administration (SBA) bills following months of Congressional wrangling. Of note, the Small Business Cybersecurity Assistance Act of 2019 sat unattended by the 116th Congress (2019-2020) among many others.