CISA seeks 24-hour timeline for cyber incident reporting

Two separate Senate bills set different deadlines for federal contractors, critical infrastructure providers and other covered companies to report cyber incidents to the federal government.


The Biden administration favors a 24-hour timeline for cyber incident reporting for critical infrastructure operators and other key entities.

Brandon Wales, the executive director of the Cybersecurity and Infrastructure Security Agency, noted that Colonial Pipeline had notified customers "well in advance of 24 hours" that it was shutting down pipelines after the hack of its business systems in May.

"We do think that 24 hours is a good metric," Wales said during a live interview at Bloomberg's Policy Blueprint event on Tuesday.

That stance aligns the administration with a bipartisan cybersecurity bill offered by leaders of the Senate Select Intelligence Committee in July.

The Cyber Incident Notification Act of 2021, sponsored by Sens. Mark Warner (D-Va.), Marco Rubio (R-Fla.) and Susan Collins (R-Maine) requires covered entities to report breaches within 24 hours and sets up a new reporting system with classified capabilities to support the timely notification of cybersecurity incidents – especially those traceable to known state-sponsored threat groups – to CISA.

Separately, the leaders of the Homeland Security and Government Affairs Committee introduced the Cyber Incident Reporting Act of 2021, which sets a 72-hour deadline for a broad swath of companies to report "major incidents" to CISA. That bill passed committee, and Sen. Gary Peters (D-Mich.), a lead sponsor of the bill and the panel's chairman, said at a recent markup that he hopes to pass cyber reporting and a related update to the Federal Information Security Modernization Act in the must-pass National Defense Authorization Act.

In Senate testimony last month, CISA Director Jen Easterly said it was "long past time to get cyber incident reporting legislation out there." She also said that she favored fines as way to enforce compliance with an incident reporting regime.

"I do think a compliance and enforcement mechanism is very important here," Easterly said. "I know some of the language talks about subpoena authority. My personal view is that is not an agile enough mechanism to allow us to get the information that we need to share it as rapidly as possible to prevent other potential victims from threat actors. So I think that we should look at fines."

Industry has typically favored the longer reporting timeline. The technology trade group ITI recommends that government "allow for at least a 72-hour reporting window after an entity has verified an incident."