A bipartisan contingent of senators last week introduced an amendment to the annual defense authorization bill requiring owners and operators of critical infrastructure as well as federal civilian agencies to report cyber and ransomware attacks to the Department of Homeland Security.
The amendment is based on the Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021, which were advanced by the Senate Homeland Security and Governmental Affairs Committee this fall.
The provision would require that owners and operators of critical infrastructure notify the DHS Cybersecurity and Infrastructure Security Agency within 72 hours of a substantial cyber-attack. Other businesses, non-profit organizations and state and local governments report to the government within 24 hours if they make a ransom payment after an attack.
The amendment would also require all civilian agencies to report all cyber-attacks to CISA and major cyber incidents to Congress. It also gives additional authorities to CISA to ensure the agency has the lead in responding to cyber incidents on networks of federal civilian agencies.
The amendment was introduced by Sens. Gary Peters (D-Mich.), Rob Portman (R-Ohio), Mark Warner (D-Va.), and Susan Collins (R-Maine).
“Having a clear view of the dangers the nation faces from cyber-attacks is necessary to prioritizing and acting to mitigate and reduce the threat,” Collins said in a statement. “Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure.”
A similar measure requiring critical infrastructure entities to notify CISA within 72 hours of detecting that they are under a cyber-attack was passed by the House in September as part of its version of the fiscal year 2022 National Defense Authorization Act.