The Cybersecurity Incident Reporting Requirements Fail in the Latest Version of the National Defense Authorization Act

Alston & Bird

Alston & Bird

On December 7, 2021, the House of Representatives passed the National Defense Authorization Act for Fiscal Year 2022 (NDAA), which notably excluded any cybersecurity incident reporting requirements. In September, the House approved a previous version of the bill that included a mandatory breach notification provision that would have required the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to develop and establish standards, procedures and timelines for critical infrastructure owners and operators to report cybersecurity incidents, including a requirement to report such incident as early as 72 hours after confirming such cybersecurity incident. Such a requirement would have been a broad expansion of the government’s involvement in cybersecurity for the private sector.

In November, the Senate Homeland Security and Governmental Affairs Committee put forward an amendment, that would not only require critical infrastructure owners and operators to report cybersecurity incidents to CISA within 72 hours, but also direct state and local governments, businesses with over 50 employees and other organizations to notify the federal government within 24 hours following a ransom payment, in connection with a cybersecurity incident. Neither such reporting requirement appeared in the NDAA, which is expected to be passed by the Senate shortly.

While it is unclear why such cybersecurity incident reporting provisions were excluded, reports suggest that some lawmakers felt that imposing such requirement on private entities, some of which are small businesses, would be overly burdensome. Specifically, there appears to have been significant pushback and a desire (by some Senators) to limit the 24-hour ransomware reporting provision to critical infrastructure owners or operators, not other businesses or organizations.

The NDAA does, however, include a number of cybersecurity initiatives, such as:

  • National Cyber Exercise Program: the NDAA authorizes CISA to establish a National Cyber Exercise Program designed to simulate and conduct tabletop exercises of a partial or complete shutdown of a government or critical infrastructure network by a cyber incident. Such Program will enable CISA to evaluate the readiness of such cyber incident response system.
  • CyberSentry: a cybersecurity program allowing CISA to enter into strategic, voluntary partnerships with critical infrastructure entities that own or operate industrial control systems and provide such entities with cyber threat monitoring and detection.

Moving forward, both Republicans and Democrats have expressed a desire to pass cybersecurity incident reporting legislation, as a stand-alone bill or possibly, as part of another big legislative package. At this time, it appears that the window for including such legislation in the NDAA is just about closed.

[View source.]

Written by:

Alston & Bird

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.