This week, U.S. Senator Mark Warner (D-VA), chair of the Senate Intelligence Committee, and a broad group of bipartisan co-sponsors, introduced legislation that would require government agencies, contractors, and operators of critical infrastructure to report cyber incidents to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours. The bill is a response to incidents like the SolarWinds and Colonial Pipeline hacks, which have put a fresh spotlight on the national security implications of cyber incidents and the need for greater information sharing. It expands on efforts by the Biden administration, such as the Executive Order on Improving the Nation’s Cybersecurity, to implement more expansive cyber breach notification requirements for entities that do business with the federal government. The bill, known as the Cyber Incident Notification Act of 2021, which has been previewed in the press for some time, has broad bipartisan and industry support and a strong chance of being enacted by Congress.
The bill applies to “covered entities,” defined as federal agencies, government contractors, and critical infrastructure owners and operators. Under the scheme proposed by the legislation, these entities must report to CISA, an agency within the Department of Homeland Security (DHS), within 24 hours of detection of a “cybersecurity intrusion” or “potential cybersecurity intrusion.” Covered entities would also have to provide regular updates to CISA within 72 hours of discovering new information.
The bill directs CISA, in coordination with various other national security and intelligence agencies, to promulgate rules establishing guidelines and clear definitions for what constitutes a reportable “cybersecurity intrusion” within 270 days from the bill’s enactment. Among other things, the bill directs that the definition of “cybersecurity intrusion” shall include at a minimum any incident that:
The bill also requires that any incident report must include, at a minimum, the following:
To address concerns from industry groups and incentivize cooperation, the bill exempts information provided to CISA from Freedom of Information Act requests, as well as subpoenas, except for those issued by Congress for oversight purposes. The bill also includes a liability protection provision that shields entities that submit a report from liability due to the submission of a cybersecurity notification, and would prevent cyber incident notifications from being used as evidence in criminal or civil actions. CISA must also consult with the private sector on the implementing regulations related to the bill.
The bill also provides for penalties in the event a covered entity fails to make a required disclosure. For example, the administrator of the General Services Administration (GSA) can impose penalties on government contractors, including removal of the contractor from any GSA federal supply schedules. Entities that do not have government contracts will be subject to a fine of as much as 0.5% of gross revenue per day of delayed notice, although CISA will be required to establish a process for contesting civil penalties.
The Cyber Incident Notification Act may be incorporated into the FY 2022 National Defense Authorization Act (NDAA) and otherwise will be referred to the Senate Homeland Security and Government Affairs Committee, which has jurisdiction over CISA and which is considering several other cybersecurity-related legislative proposals.
Senators Gary Peters (D-MI) and Rob Portman (R-OH), chairman and ranking member of the Senate Homeland Security and Governmental Affairs Committee, are reportedly working on cyber incident reporting legislation focused on ransomware, which would require non-federal entities to notify the government if such entities make a ransom payment in response to a ransomware attack. The bill also reportedly would call for these entities to consider alternatives to making the ransom payment, including:
As mentioned above, the Biden cybersecurity Executive Order, promulgated on May 12, 2021, is another source for regulation of cyber incident reporting. As we describe in a prior article, the Order requires changes to the Federal Acquisition Regulation that will impose more rigorous and uniform breach notification and information sharing requirements on federal contractors.
Although the pending legislation provides fairly detailed parameters for cyber incident reporting, it remains to be seen how the various stakeholders’ actions and recommendations will coalesce into implemented policy changes. What is apparent is that this is a rapidly changing area of law with potential implications for numerous stakeholders, including in particular those companies that do business with the government or that own or operate critical infrastructure.
Raymond Rif, a legislative and policy analyst in Morrison & Foerster’s National Security practice, contributed to this alert.