Federal Cyber Incident Reporting Provision Signed Into Law
A landmark provision authored by Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee, to enhance our nation’s ability to combat ongoing cybersecurity threats against critical infrastructure has been signed into law as a part of the government funding legislation that passed this week.
The provision would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyber-attack or if they make a ransomware payment.
The new law is a significant step to help combat potential cyber-attacks sponsored by foreign adversaries, including potential threats from the Russian government in retaliation for U.S. support in Ukraine.
There are 16 critical infrastructure sectors, such as energy, whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.
The law will give the National Cyber Director, CISA, and other agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks.
The legislation strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.
The provision, which is based on the senators’ Cyber Incident Reporting Act, requires critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack and within 24 hours of making a ransomware payment.
The provision gives CISA the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments.
Organizations that fail to comply with the subpoena can be referred to the Department of Justice.
CISA is required to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks.
The provisions’ requirements are not in effect yet. The federal rulemaking process that will formalize aspects of this legislation will take two years to be completed.
The law also requires substantial consultation with industry and creates a federal council to coordinate federal incident reporting requirements to reduce duplicative regulations.