House Committee bolsters federal cybersecurity, passes Security Modernization and  Supply Chain Security Training bills

The U.S. Committee on Oversight and Reform approved on Wednesday the Supply Chain Security Training Act that works towards improving federal government operations and hiring practices. It also passed the Federal Information Security Modernization Act of 2022 that bolsters cybersecurity for federal agencies.

The Committee approved the Supply Chain Security Training Act, a bipartisan bill introduced by Rep. Joe Neguse and Rep. Scott Franklin. Following the SolarWinds cyberattack, the bill requires the General Services Administration to establish a training program to better identify and mitigate supply chain security risks in the products and services the federal government acquires. 

According to the provisions of the bill, it calls for within six months of the enactment of the Act that the Administrator of General Services, through the Federal Acquisition Institute, shall develop a training program for officials with supply chain risk management responsibilities at federal agencies. 

The training program shall be designed to prepare such personnel to perform supply chain risk management activities and identify and mitigate supply chain security threats that arise throughout the acquisition lifecycle, including for the acquisition of information and communications technology, according to the bill. “The training program shall include, considering the protection of classified and other sensitive information, information on current, specific supply chain security threats and be updated as determined to be necessary by the Administrator.”

The cybersecurity sector has traditionally faced a shortage of skilled workers and has struggled to plug the skills shortage. The U.S. Department of Homeland Security (DHS) has also turned its focus last November towards improving federal cybersecurity talent, working more aggressively to recruit, develop, and retain top cybersecurity professionals. 

The Committee also voted favorably to approve the Federal Information Security Modernization Act of 2022, introduced last month by Rep. Carolyn B. Maloney, chairwoman of the Oversight and Reform Committee, and Rep. James Comer, a ranking member of the Oversight and Reform Committee, to improve the federal government’s cyber defenses following a string of high-profile cyberattacks, including SolarWinds and the Microsoft Exchange Server hack, as well as vulnerabilities discovered in common Apache Log4j software.

The Federal Information Security Modernization Act of 2022 bill modernizes and strengthens the Federal Information Security Management Act (FISMA), which has not been updated since 2014. Specifically, FISMA 2022 would clarify and streamline the roles of the National Cyber Director, the Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Chief Information Security Officer, and other federal entities to better coordinate efforts to prevent, mitigate, and respond to cyber incidents.

It will also improve detection and reporting of cyberattacks through continuous monitoring of federal systems, new supply chain transparency requirements, and requiring federal agencies to report major incidents affecting their data and information systems within 72 hours. The bill will also promote cybersecurity modernization and next-generation security principles to meet the challenges of evolving cyber threats.

The update of the FISMA Act would also extend the duration of the Federal Acquisition Security Council (FASC), which has several important functions, including recommending supply-chain risk management standards and establishing criteria for sharing information on supply-chain risks between executive agencies and other entities. But most significantly, the council has the authority to issue recommendations to executive agencies that certain products that pose supply-chain threats be excluded from agency procurement or be removed from agency networks. 

“Cyberattacks are now a tool of choice for America’s geopolitical adversaries like Russia and China.  After an onslaught of high-profile cyberattacks that threatened and compromised the networks of our federal agencies, it’s imperative that we reform our federal cybersecurity practices with the most advanced protections possible,” Carolyn B. Maloney, the Chairwoman of the Committee on Oversight and Reform, said in a media statement. “Today, I am proud to report that the Committee approved the Federal Information Security Modernization Act of 2022 to improve the cyber resilience and security of our federal agencies.”  

“Cybersecurity is not only a bipartisan issue, it’s an urgent matter of national security, and I will work to get this bill to the President’s desk as soon as possible,” Maloney added.

The legislative progress comes at a time when cybercrime has continued to increase in the last six months of last year. This was tracked as threats from ransomware groups and supply chain attacks dominated the headlines leading to the most impact and operational disruption, Nozomi Networks said on Wednesday in its semi-annual OT/IoT Security Report covering the second half of 2021. 

Much like the first half of 2021, ransomware groups and attacks continued to make headlines and cause operational disruption, and supply chain attacks provided an opportunity to spread damage quickly, it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.