CISA Cyber ​​Incident Reporting Requirements Travel to the Finish Line of Defense Bill

The FY2022 Defense Compromise Bill does not include cyber incident reporting requirements, reversing a major bipartisan push for critical infrastructure operators to report cyber attacks to the government.

The NDAA released yesterday by House and Senate negotiators leaves out a provision passed by the House to establish a Cyber ​​Incident Review Office at the Cybersecurity and Infrastructure Security Agency. The language would have enabled CISA to establish a 72-hour cyber incident reporting requirement for companies operating in the 16 critical infrastructure sectors of the United States.

The report on the compromise bill did not provide an explanation for the reduction in the disposition of the House. But Democrats blamed Senate GOP leaders, including Minority Leader Mitch McConnell (RK.Y.) for the exclusion. A McConnell aide did not respond to a request for comment.

The language was proposed by the cybersecurity leaders of the House Homeland Security Committee, including Chairman Bennie Thompson (D-Md.), Non-commissioned member John Katko (RN.Y.) and Representative Yvette Clarke (DN.Y .), chair of the cybersecurity, infrastructure protection and innovation subcommittee.

In a statement, Thompson and Clarke blamed the absence of the language on “a dysfunction and disagreement resulting from the Republican leadership of the Senate that was not resolved until mid-morning today – well past the deadline. of the NDAA ”.

“This result is more than disappointing and undermines national security,” they said. “We were hoping to mark the first anniversary of the discovery of the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s office. Instead, Republican Senate leaders have delayed things so much that the window has closed on including computer incident reports in the NDAA. “

The Senate Committee on Homeland Security and Government Affairs passed a similar bipartisan cyber incident reporting bill in October.

But the Senate failed to come to an agreement on adding amendments – including the incident-reporting measure – to its version of the NDAA, which resulted in the compromise deal released by the House and the Senate today.

Senate Homeland Security and Government Affairs Chairman Gary Peters (D-Mich.) Also accused Republican Senate leaders of blocking the measure.

“We need urgent action to tackle the serious threat posed by cyber attacks, and by blocking our bipartisan reforms, the Republican Senate leaders are putting our national security at risk,” Peters said in a statement. “I will continue to lead efforts to implement these critical and sensible reforms and ensure that our country has a comprehensive strategy to tackle cybercriminals and foreign adversaries who continue to target our networks. “

Thompson and Clarke said they were still “fully committed to working across the aisle and with the Senate to find another way forward.” They said President Nancy Pelosi (D-Calif.) Also “communicated her continued interest in working with us to get cyber incident reporting legislation to the president’s office.”

Meanwhile, the Department of Homeland Security is already establishing incident reporting warrants for many companies in the transportation industry. In recent months, the Transportation Security Administration has imposed incident reporting requirements and other cybersecurity rules on oil and gas pipelines, railways, and the aviation industry.

GOP lawmakers have pushed back some of the TSA’s mandates, including demands on oil and gas pipelines. Portman and other Congressional Republicans have asked the DHS Inspector General to investigate how the TSA crafted these requirements. They argue that the rules were removed without sufficient input from industry experts and other stakeholders.

Mixed cyber-welcome

The NDAA has become a popular bill to change cybersecurity legislation in recent years. But this year’s compromise bill also left out a House-passed provision that would have set a five-year term for the CISA director.

And he excluded the language adopted by the House requiring the development of a “collaborative environment for information on cyber threats” by DHS.

Nonetheless, the compromise bill included notable cybersecurity provisions, including one authorizing the CISA to establish a national cyber exercise program designed to simulate the partial or complete shutdown of a government network or critical infrastructure by a cyber incident.

It also authorizes CISA to establish a “CyberSentry” program to provide optional continuous monitoring and detection services to critical infrastructure operators who own or operate industrial control systems.

The bill also includes a measure authorizing DHS to “assess the feasibility and desirability of entering into voluntary public-private partnerships with companies in the Internet ecosystem in order to facilitate the actions of those companies aimed at discovering and disrupting the use of such companies’ platforms, systems, services and infrastructure by malicious cyber actors.

Such a program would likely complement the CISA “Joint Cyber ​​Defense Collaborative” established in August and involving several Internet service providers, cloud computing companies and cybersecurity companies.

Meanwhile, HSGAC had also put forward a bill reforming the Federal Information Security Modernization Act of 2014. The bill would have required, among other things, agencies to report cyberattacks to the CISA, and contractors. federal authorities to report hacks to their contracting agency. Lawmakers hailed the bill as codifying the central role of the CISA in federal cybersecurity efforts.

But the FISMA reform bill did not have a counterpart in the House and it could not move forward as an amendment to the Senate NDAA.