The Senate Homeland Security and Government Affairs Committee on Oct. 6 approved S. 2875, the Cyber Incident Reporting Act of 2021.
The legislation would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they are experiencing a cyber-attack.
The bill would also create a requirement for critical infrastructure entities and other organizations, including nonprofits, certain businesses, and state and local governments, to notify the federal government within 24 hours if they make a ransom payment.
Sen. Gary Peters (D-Mich.), chairman of the committee, wants to offer the bill as an amendment to the Fiscal Year 2022 National Defense Authorization Act (NDAA) when it comes to the Senate floor. It is currently unknown when the Senate will consider the NDAA.
In late August, Joy Ditto, President and CEO of the American Public Power Association, and Jim Matheson, CEO of the National Rural Electric Cooperative Association, said that if Congress chooses to enact broad mandatory cyber incident reporting legislation for critical infrastructure, the associations agree with the principles laid out in an August 27 letter lead by the Information Technology Industry Council (ITI) and endorsed by numerous other critical infrastructure sector entities and associations.
In that letter, ITI and the other entities and associations said that in order to ensure an effective incident reporting regime that leverages the limited resources of federal agencies, enables regulatory compliance, provides liability protections, and advances national cybersecurity interests, policymakers in Congress should, at a minimum, follow five key principles:
- Establish feasible reporting timelines of no less than 72 hours
- Limit reporting regulations to verified incidents and intrusions
- Limit reporting obligations to the victim organization, rather than third-party vendors or providers
- Harmonize federal cybersecurity incident reporting requirements
- Ensure confidentiality and nondisclosure of incident information provided to the government