Peters eyes progress on unfinished cyber bills in next Congress

Federal information security law last updated in 2014

Sen. Gary Peters says the world is “radically different” from 2014, when the federal cybersecurity law was last updated. (Tom Williams/CQ Roll Call file photo)
Sen. Gary Peters says the world is “radically different” from 2014, when the federal cybersecurity law was last updated. (Tom Williams/CQ Roll Call file photo)
Posted December 15, 2022 at 3:40pm

The flurry of cybersecurity legislation enacted by the current Congress left one unfinished piece of business that Sen. Gary Peters says will be first in line in the next Congress: updating the federal government’s cybersecurity efforts. 

“The one area we were not able to finish was FISMA, and that is a top priority for me,” Peters, D-Mich., the chairman of the Senate Homeland Security and Governmental Affairs Committee, said in an interview Wednesday. “In the first markup [in the next session] I plan to put FISMA on that markup.”

FISMA stands for Federal Information Security Modernization Act, which assigns responsibilities to federal agencies, including the National Institute of Standards and Technology, the Office of Management and Budget, and the Cybersecurity and Infrastructure Security Agency, in safeguarding government computer networks. The law was last updated in 2014.

“The world is radically different,” Peters said. Federal agencies have tried to keep up with threats, but they still fall short in communicating with each other when one of them is attacked, he said.

“If your systems are getting attacked, you’ve got to believe the other ones [at other agencies] are being attacked too,” Peters said. “How you share information quickly and efficiently is critically important. So there’s still work to do. That’s why FISMA for me is a top priority.”

A bill dealing with information security was part of a package of cybersecurity legislation attached early this year to the fiscal 2022 omnibus spending bill but was stripped out because of differences between the House and the Senate on the role of the OMB and CISA.

Peters said he’s discussed the legislation with his likely House counterpart, Rep. James R. Comer, R-Ky., who is expected to become chairman of the House Oversight and Reform Committee. “And I think we are in a good place,” Peters said.

Among other cybersecurity issues, Peters said he intended to reintroduce legislation that would address the security of open-source software used by federal agencies. He cited the example of a flaw discovered last December in widely used open-source software called Log4j.

The open-source tool is a Java-based library developed by Apache that software developers use to track activity within an application.

Peters’ legislation would ask CISA to work with private groups and others to strengthen the security of such open-source software used by federal agencies.

The Senate committee also will hold hearings to understand how state and local governments are using federal grants to beef up security measures, Peters said. The infrastructure spending bill provides $1 billion for grants to state and local governments to improve cybersecurity. 

The committee also plans to continue to find ways Congress can help small and medium-sized businesses deal with the rising number of ransomware attacks, Peters said.

The infrastructure legislation also established a $100 million fund that the secretary of Homeland Security could use to assist federal and private sector entities reeling from a major cyberattack, and it requires the Environmental Protection Agency to assess and identify public water systems that could be crippled in a cyberattack.

Peters said he would explore ways to address cybersecurity vulnerabilities faced by other critical infrastructure such as chemical plants, sewage treatment facilities and others.

Peters said he was “uniquely positioned” to address the issue of cybersecurity issues facing critical infrastructure operators because he also is a member of the Senate Commerce Committee.

He said he would explore whether having operators of critical infrastructure meet certain basic cybersecurity standards would be a viable option.