After a few failed attempts, cyber incident reporting legislation made it over the finish line as part of the fiscal year (FY) 2022 appropriations bill – a victory hailed by Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly and lawmakers as a necessary step for more visibility to protect critical infrastructure.
Easterly, along with Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio, applauded the legislation today.
“As the nation’s cyber defense agency, CISA applauds the passage of cyber incident reporting legislation,” Easterly said today in a statement. “Thanks to the support of our many partners in Congress, CISA will have the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyberattacks.”
“Put plainly, this legislation is a game-changer,” she added. “Today marks a critical step forward in the collective cybersecurity of our nation.”
Language in the bill will require critical infrastructure owners and operators – most of whom are not part of the government – to report any cyber incidents deemed “significant” to the Federal government within 72 hours.
Previous efforts to tack incident reporting on to reconciliation bills or the FY2021 National Defense Authorization Act fell short.
The push for cyber incident reporting legislation has been spearheaded by Sens. Peters and Portman.
“Critical infrastructure operators defend against malicious hackers every day, and right now, these threats are even more pronounced due to possible cyber-attacks from the Russian government in retaliation for our support of Ukraine. It’s clear we must take bold action to improve our online defenses,” Peters said in a joint statement today.
“This historic effort will make sure our nation can deter cyber-attacks against critical infrastructure companies, such as energy providers and banks, which can significantly disrupt American lives and livelihoods,” he added
The pair also recently authored a Senate-passed cybersecurity package that would modernize the Federal Information Security Management Act (FISMA) and codify the Federal Risk and Authorization Management Program (FedRAMP). The bill also has cyber incident reporting language included.
“The Federal government must be able to quickly coordinate a response and hold these bad actors accountable,” Sen. Portman said in the joint statement with Sen. Peters.
“This bipartisan bill will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. The legislation strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”
CISA also received a considerable bump in funding in the FY2022 appropriations bill. CISA will be funded at $2.6 billion for FY2022, which represents an increase of $568.7 million more than FY2021 and $460 million more than requested by President Biden.
“We are also grateful to Congress for the unprecedented level of funding provided for CISA in the Fiscal Year 2022 Omnibus,” Easterly said. “This investment represents a recognition of the importance of our mission and the confidence of the Congress in our ability to defend our nation’s networks and critical infrastructure.”