200623 s 3045 cybersecurityvulnerabilityidentificationandnotificationact hsgac househomeland


June 23, 2020


Dear Chairman Johnson and Thompson and Ranking Members Peters and Rogers:

The U.S. Chamber of Commerce supports S. 3045, the “Cybersecurity Vulnerability Identification and Notification Act of 2019.” This bipartisan bill would grant the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) new administrative subpoena authority to identify and address a vulnerability in a covered device or system that supports critical infrastructure. S. 3045 would enable CISA to accomplish its objectives as the nation’s cybersecurity risk adviser.

The Chamber commends committee staff for working closely with industry stakeholders to negotiate the most recent version of the bill. Such key changes should allow CISA and the owners/operators of vulnerable critical infrastructure to better understand risks and threats to their business equipment and technologies and prioritize mitigation activities.

At the same time, the Chamber urges committee oversight of the unprecedented subpoena program that would be created under S. 3045. The legislation is narrowly tailored to assist particular functions of industry; it does not target individual Americans. Current CISA leaders are committed to partnering with industry, including protecting sensitive business information and using the new authority prudently. However, such a constructive approach to implementing S. 3045 should be monitored and cultivated within CISA.

Your leadership is crucial as the business community collaborates with policymakers to strengthen the cybersecurity of American businesses and governmental bodies against malicious actors. We look forward to working with you to advance S. 3045 and related issues critical to U.S. economic and national security.


Matthew J. Eggers

Vice President, Cybersecurity Policy

cc: Members of the Senate Committee on Homeland Security and Governmental Affairs

Members of the House Committee on Homeland Security

200623 s 3045 cybersecurityvulnerabilityidentificationandnotificationact hsgac househomeland