On December 7, 2021, the House of Representatives passed the National Defense Authorization Act for Fiscal Year 2022 (NDAA), which notably excluded any cybersecurity incident reporting requirements. In September, the House approved a previous version of the bill that included a mandatory breach notification provision that would have required the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to develop and establish standards, procedures and timelines for critical infrastructure owners and operators to report cybersecurity incidents, including a requirement to report such incident as early as 72 hours after confirming such cybersecurity incident. Such a requirement would have been a broad expansion of the government’s involvement in cybersecurity for the private sector.
In November, the Senate Homeland Security and Governmental Affairs Committee put forward an amendment, that would not only require critical infrastructure owners and operators to report cybersecurity incidents to CISA within 72 hours, but also direct state and local governments, businesses with over 50 employees and other organizations to notify the federal government within 24 hours following a ransom payment, in connection with a cybersecurity incident. Neither such reporting requirement appeared in the NDAA, which is expected to be passed by the Senate shortly.
While it is unclear why such cybersecurity incident reporting provisions were excluded, reports suggest that some lawmakers felt that imposing such requirement on private entities, some of which are small businesses, would be overly burdensome. Specifically, there appears to have been significant pushback and a desire (by some Senators) to limit the 24-hour ransomware reporting provision to critical infrastructure owners or operators, not other businesses or organizations.
The NDAA does, however, include a number of cybersecurity initiatives, such as:
- National Cyber Exercise Program: the NDAA authorizes CISA to establish a National Cyber Exercise Program designed to simulate and conduct tabletop exercises of a partial or complete shutdown of a government or critical infrastructure network by a cyber incident. Such Program will enable CISA to evaluate the readiness of such cyber incident response system.
- CyberSentry: a cybersecurity program allowing CISA to enter into strategic, voluntary partnerships with critical infrastructure entities that own or operate industrial control systems and provide such entities with cyber threat monitoring and detection.
Moving forward, both Republicans and Democrats have expressed a desire to pass cybersecurity incident reporting legislation, as a stand-alone bill or possibly, as part of another big legislative package. At this time, it appears that the window for including such legislation in the NDAA is just about closed.