A bill mandating that critical infrastructure entities report to the federal government within three days of discovering they’ve been hit by a cyber-attack passed the House Wednesday night as part of a consolidated government spending package for fiscal year 2022.

The Senate last week passed the cyber incident reporting measure as part of a larger cybersecurity bill that included an update to the Federal Information Modernization Security Act (FISMA) and an authorization and update to the Federal Risk and Authorization Management Program (FedRAMP). The FISMA and FedRAMP provisions were not included in the incident reporting bill passed by the House.

The Senate is due to begin considering the omnibus spending bill on Thursday. A continuing resolution that provides funding for the federal government expires on Friday night so the omnibus package is considered a must pass bill unless either another continuing resolution is approved or Congress shuts down the federal government.

In addition to the 72-hour reporting requirement, the Cyber Incident Reporting for Critical Infrastructure Act requires owners and operators of critical infrastructure entities to report within 24 hours if they make a ransomware payment. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is the agency that the private sector would report to if the bill becomes law.

CISA currently receives information about cyber-attacks and breaches against the private sector on a voluntary basis, but the agency supports the incident reporting legislation so that it can gain greater situational awareness about threats and in turn share that information with government and industry partners to raise collective cyber defenses.

One of CISA’s priorities “is to make sure that we and our colleagues at the FBI have visibility into cyber intrusions that are occurring across this country,” Eric Goldstein, executive assistant for cybersecurity at CISA, said on Thursday during a Billington Cybersecurity webinar. I think a continuity throughout our…chat here has been the importance of CISA understanding what our adversaries are doing and how they are doing it because it’s the only way that we’re going to be able to protect other possible victims. The more that we get reports or organizations saying they’ve had a compromise, the more that we can glean information and share out to reduce the likelihood of other organizations being compromised.”

Supporters of the cyber incident reporting legislation failed to gain enough support to have the provision included in the FY ’22 National Defense Authorization Act signed into law in late December. Still, they were confident that the legislation would pass Congress this year.

Russia’s war against Ukraine, which has included cyber-attacks, may have helped tip the balance in favor of the incident reporting bill.

“And what’s going on right now around the world, particularly with regard to Russia and Ukraine, incredibly important that we put up better defenses here in this country, as well as helping Ukraine and other countries to fight against these cyber-attacks,” Sen. Rob Portman (R-Ohio), ranking member on the Senate Homeland Security and Governmental Affairs Committee and one of the authors of the legislation, said on the Senate floor last week.

The roles that CISA is given in the bill further demonstrate that is the lead federal agency for cybersecurity.

The legislation also requires CISA to go through a rulemaking process, which allows for private sector comment, to implement key provisions of the incident reporting bill. The rule will clarify the types of critical infrastructure entities that are covered by the reporting requirement and the types of incidents that are covered.

If the bill becomes law, CISA will have two years to publish a notice of proposed rulemaking, at which point it will have another 18 months to issue the final rule.