The Consolidated Appropriations Act of 2022 (H.R. 2471), introduced by Rep. Rosa DeLauro, D-Conn., would fund the Federal government through the end of fiscal year (FY) 2022 and includes language on cyber incident reporting for critical infrastructure (CI) requirements.
The appropriations bill ties in language from legislation (S. 3600) that was approved last week by the senate and would update the Federal Information Security Management Act (FISMA), codify the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP), and require timely incident reporting by CI providers.
H.R. 5540, which was introduced last September, but failed to clear the House Homeland Security Committee also contained language on CI incident reporting. Supporters of H.R. 5540 sought to attach the bill to the National Defense Authorization Act for FY22, but failed to do so.
H.R. 5540 would’ve required the reporting of any cyber incidents that the Department of Homeland Security (DHS) “determines is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the U.S. or to the public confidence, civil liberties, or public health and safety of the people of the United States.”
Now, language in H.R. 2471 also requires timely CI incident reporting. It would require CI entities across the Federal government to report “significant” cyber incidents to the Federal government within 72 hours.
“This package makes historic investments in the middle class and people who are living paycheck to paycheck,” said Rep. DeLauro in a statement. She adds that the bill would work to help small businesses, support job training, rebuild U.S. infrastructure, and unlock the “full funding provided by the Infrastructure Investment and Jobs Act.”
Congress would have to pass the spending bill by March 11, when the existing resolution expires.