Incident Reporting Legislation Moves Enforcement Power from CISA Director

An amended version of the of the Cyber Incident Reporting Act is getting tacked on to the NDAA.

An amended version of the of the Cyber Incident Reporting Act is getting tacked on to the NDAA. dem10/iStock

The bipartisan measure introduced as an amendment to the National Defense Authorization Act makes other significant changes to legislation introduced in September.

An amendment key senators have introduced for attachment to the annual National Defense Authorization instructs the director of the Cybersecurity and Infrastructure Security Agency to  decide which agency should enforce private-sector reports of cybersecurity incidents to the government. 

“The director, in consultation with sector risk management agencies and the heads of other federal agencies, shall publish in the Federal Register an interim final rule,” laying out the terms under which covered entities must report incidents as well as the implementation of exceptions and enforcement measures described in the amendment, according to text obtained by Nextgov.

A press release issued Thursday evening by the amendment’s sponsors said it is “based on the Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021,” both of which cleared the Senate Homeland Security and Governmental Affairs Committee. The original Cyber Incident Reporting Act gave the CISA director the power to craft the details of the cyber incident reporting rules along with the ability to issue subpoenas and pursue related enforcement mechanisms.

The amendment, in contrast, instructs the director, through the rulemaking process, to identify “the agency to carry out the enforcement provisions ... including with respect to the issuance, service, withdrawal, and enforcement of subpoenas, appeals and due process procedures, the suspension and debarment provisions … and other aspects of noncompliance.”

CISA Director Jen Easterly has testified on the need for fines, instead of a drawn out subpoena process, for compelling private-sector entities to report cyber incidents to the agency. Sen. Mark Warner, D-Va. agreed, calling related incident response legislation that passed the House “toothless” for its lack of appropriate enforcement. The House measure is similar to the original senate bill and the newly proposed amendment in that it requires cyber incident reports within 72 hours and relies on subpoenas.

But Warner was outnumbered and has now joined Sens. Gary Peters, D-Mich., Rob Portman, R-Ohio, Susan Collins, R-Maine, and Kyrsten Sinema, D-Ariz., in proposing the new amendment.  

“It seems like every day, Americans wake up to the news of another ransomware attack or cyber intrusion, but the SolarWinds hack showed us that there is nobody responsible for collecting information on the scope and scale of these incidents,” Warner said Thursday in the press release. “We can’t rely on voluntary reporting to protect our critical infrastructure—we need a routine reporting requirement so that when vital sectors of our economy are affected by a cyber breach, the full resources of the federal government can be mobilized to respond to, and stave off, its impact. I’m glad we were able to come to a bipartisan compromise on this amendment addressing many of the core issues raised by these high-profile hacking incidents.”   

The amendment also includes a significant new exception. The reporting requirements won’t apply to certain entities related to the Domain Naming System, which will be determined by the director through the rulemaking process. The DNS is a sort of phone book for internet addresses with vulnerabilities that can be exploited by attacks such as those that would lead to a Distributed Denial of Service, or DDoS.

“The requirements … shall not apply to an entity or the functions of an entity that the director determines constitute critical infrastructure owned, operated, or governed by multi-stakeholder organizations that develop, implement, and enforce policies concerning the Domain Name System, such as the Internet Corporation for Assigned Names and Numbers or the Internet Assigned Numbers Authority,” the amendment reads.

Under the new amendment, the director and sector specific agencies would also have a lot more time to propose and finalize the rule, which won’t be due until three and a half years after the law’s enactment. 

Editor's Note: A previous version of this story reported the amendment giving the director of the Office of Management and Budget the relevant rulemaking authority. The amendment gives that authority to the director of the Cybersecurity and Infrastructure Security Agency along with sector specific agencies.