Incident Reporting Legislation Moves Enforcement Power from CISA Director

An amendment key senators have made to attach to the annual National Defense Authorization instructs the director of the Cybersecurity and Infrastructure Security Agency to decide which agency should enforce private sector reports of cybersecurity incidents to the government.

“The director, in consultation with the risk management agencies of the sector and the heads of other federal agencies, will publish in the Federal Register an interim final rule”, establishing the terms under which the covered entities must report incidents, as well as the implementation of exceptions and enforcement measures described in the amendment, in accordance with text obtained by Nextgov.

TO Press release issued Thursday night by the sponsors of the amendment said it is “based on the Cyber ​​Incident Reporting Act and Federal Information Security Modernization Law of 2021”, Both approved by the Senate Committee on Government Affairs and National Security. The original Cyber ​​Incident Reporting Act gave the CISA director the power to elaborate the details of the cyber incident reporting rules along with the ability to issue citations and enforce related enforcement mechanisms.

The amendment, by contrast, instructs the principal, through the rulemaking process, to identify “the agency to carry out enforcement provisions … including with respect to the issuance, notification, withdrawal, and execution of subpoenas , appeals and due process procedures, suspension and disqualification provisions … and other aspects of noncompliance. “

CISA Director Jen Easterly has testified about the need for fines, rather than a lengthy subpoena process, to compel private sector entities to report cyber incidents to the agency. Senator Mark Warner, Democrat of Virginia. he agreed, calling the related incident response legislation that was passed by the House “toothless” due to its lack of proper enforcement. The House measure is similar to the original Senate bill and the recently proposed amendment in that it requires reporting of cyber incidents within 72 hours and is based on subpoenas.

But Warner was outnumbered and has now joined Senators Gary Peters, D-Michigan, Rob Portman, R-Ohio, Susan Collins, R-Maine and Kyrsten Sinema, D-Arizona, in proposing the new amendment.

“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion, but the SolarWinds hack showed us that there is no one responsible for gathering information on the scope and scale of these incidents,” he said. Warner on Thursday at the press release. “We cannot rely on voluntary reporting to protect our critical infrastructure; we need a routine reporting requirement so that when vital sectors of our economy are affected by a cyber breach, all the resources of the federal government can be mobilized to respond, and avoid its impact. I am glad that we were able to reach a bipartisan compromise on this amendment that addresses many of the fundamental issues raised by these high-profile hacking incidents. ”

The amendment also includes a significant new exception. The reporting requirements will not apply to certain entities related to the domain name system, which will be determined by the principal through the rulemaking process. DNS is a kind of phone book for Internet addresses with vulnerabilities that can be exploited by attacks such as those that would lead to a Distributed Denial of Service or DDoS.

“The requirements … shall not apply to an entity or the functions of an entity that the director determines to constitute critical infrastructure owned, operated or governed by multi-stakeholder organizations that develop, implement and enforce policies relating to the Management System. Domain Names, such as the Internet Corporation for Assigned Names and Numbers or the Internet Assigned Numbers Authority, ”the amendment says.

With the new amendment, the director and industry-specific agencies would also have much more time to propose and finalize the rule, which will not expire until three and a half years after the law is enacted.

Editor’s Note: An earlier version of this story reported that the amendment gave the director of the Office of Management and Budget the relevant regulatory authority. The amendment grants that authority to the director of the Cybersecurity and Infrastructure Security Agency along with sector-specific agencies.

Leave a Comment