Critical infrastructure owners and operators and civil federal agencies would be required to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they are hit by a cyber attack, should a new bipartisan amendment to the upcoming annual defense bill gain approval.
The amendment, which also requires most entities to report to CISA if they make a ransomware payment, is backed by Sens. Gary Peters (D-MI), who chairs the Homeland Security and Governmental Affairs Committee, Mark Warner (D-VA), Rob Portman (R-OH) and Susan Collins (R-ME). Its foundation is Peters’ Cyber Incident Reporting Act and separate Federal Information Security Modernization Act of 2021 that would require critical public and private organizations to notify CISA within 24 hours of discovering the system compromise.
The cyber incident reporting measure also requires federal contractors–including MSSPs, MSPs and managed detection and response (MDR) service providers--to report to CISA within 24 hours of making a ransom payment. In early October, the Department of Justice (DOJ) launched a new action to slap hefty fines on government contractors, including MSSPs and MSPs, that fail to report a cybersecurity incident.
Here’s what the Peters amendment to the National Defense Authorization Act (NDAA) would do:
- Requires critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber attack.
- Requires many businesses, nonprofits, and state and local governments to report to CISA within 24 hours of making a ransom payment.
- Updates current federal government cybersecurity laws to improve coordination between federal agencies.
- Forces the federal government to take a risk-based approach to security.
- Requires all civilian agencies to report all cyber attacks to CISA and major cyber incidents to Congress.
- Provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks.
The amendment is a middle ground between legislation introduced by Peters and Portman that would extend the reporting deadline to 72 hours and an earlier Warner incident reporting bill that specified a 24-hour timeline. A number of prominent businesses have claimed that incident reporting, no matter what the acceptable time frame, would disproportionately concern their shareholders and weaken their competitive positions.
Under existing law, no federal requirement for individual companies to disclose to CISA a breach is currently on the books, let alone mandated within a certain time frame.
“I’m grateful to my colleagues for working together to introduce this bipartisan amendment that will take significant steps to strengthen cybersecurity protections, ensure that CISA is at the forefront of our nation’s response to serious breaches, and most importantly, requires timely reporting of these attacks to the federal government so that we can better prevent future incidents and hold attackers accountable for their crimes,” Peters said.
Too much is at stake to rely on voluntary reporting to protect critical infrastructure, said Warner, who chairs the Senate Select Committee on Intelligence. “We need a routine reporting requirement so that when vital sectors of our economy are affected by a cyber breach, the full resources of the federal government can be mobilized to respond to, and stave off, its impact,” he said.
The 2022 NDAA that passed the House on September 23rd included amendments that would limit the term of the CISA director to five years, authorize the creation of a Cyber Incident Review Office, require CISA to update its incident response plan at least every two years, require the Defense Department to provide Congress with a report on cyber hygiene recommendations and a number of others.
The 2021 NDAA, vetoed by then President Trump but subsequently codified into law in a Congressional override, included 77 cybersecurity articles to improve the nation’s cybersecurity posture. Among them was a clause to restore the position of national cyber director within the White House responsible for coordinating federal cybersecurity policies.