S 3600 Cyber Incident Reporting Provisions

Last week, the Senate passed S 3600, the Strengthening American Cybersecurity Act of 2022. Title II of that bill is the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The seven sections of that title outline the cyber incident reporting program to be established by CISA. It establishes CISA as the action agency for the receipt, processing and sharing of information provided in such reports and establishes a 72-hour reporting standard for covered cyber incidents and a 24-hour reporting standard for making ransomware payments.

Definitions

Section 203 of the bill establishes that the key terms used in the bill for Title III will be found in the new §2240 being proposed to the Homeland Security Act of 2002. That section establishes 19 key definitions. Those definitions include:

• Covered cyber incident,

• Covered entity,

• Cyber incident,

• Information system,

• Ransom payment,

• Ransomware attack,

• Significant cyber incident, and

• Supply chain compromise

The ‘information system’ definition is similar to that found in 6 USC 1501 as it specifically includes “industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers”.

Cyber Incident Reporting

Section 203 of the bill amends 6 USC 659(c) by adding a new paragraph (13) to the list of functions for the National Cybersecurity and Communications Integration Center (NCCIC) in 6 USC 659. That paragraph describes the new responsibility for receiving, aggregating, and analyzing reports related to covered cyber incidents to enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.

Section 203 then goes on to add additional new sections to the Homeland Security Act of 2002:

• §2241 Cyber incident review,

• §2242 Required reporting of certain cyber incidents,

• §2243 Voluntary reporting of other cyber incidents,

• §2244 Noncompliance with required reporting,

• §2245 Information shared with or provided to the Federal Government,

• §2246 Cyber Incident Reporting Council,

The key incident reporting requirements are outlined in §2242(a). They include:

• A requirement for a covered entity to report a covered cybersecurity incident to CISA no later than 72-hours “after the covered entity reasonably believes that the covered cyber incident has occurred”, and

• A requirement for a covered entity to report a ransomware payment to CISA no later than “24 hours after the ransom payment has been made”.

Required Rulemaking

Section 2242(b) requires CISA to initiate a rulemaking to implement the reporting requirements of subsection (a). The notice of proposed rulemaking will be published within 24-months of the bill being enacted and the final rule would be published 18-months after the NPRM was published.

The rulemaking would include:

• A clear description of the types of entities that constitute covered entities,

• A clear description of the types of substantial cyber incidents that constitute covered cyber incidents,

• A clear description of the specific required contents of the required reports for a covered cyber incident,

• A clear description of the specific required contents of the required reports for ransomware payments,

• A clear description of the types of data required to be preserved for covered cyber incidents or ransomware attacks where a payment has been made,

• Deadlines and criteria for submitting supplemental reports to the Agency, and

• Other procedural measures directly necessary to implement these reporting requirements.

The discussion about the description of ‘covered cyber incidents’ specifically includes language that describes the coverage of industrial operations:

• A cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes,

• A disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, or

• Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

Commentary

While a mandatory reporting requirement is long overdue, the reality is that even if this bill were to pass tomorrow, the reporting process will still be years in the making. The rulemaking process is lengthy, with the 24-month NPRM requirement and 18-month final rule publication requirements pushing the process out to three and a half years (plus what ever effective-date delay is included in the final rule) before process goes live. And that is ‘IF’ CISA is able to comply with those time constraints.

Congress gave DHS six months to stand up the Chemical Facility Anti-Terrorism Standards (CFATS) program under an interim final rule. That deadline was essentially met and DHS included an NPRM that was not required by the authorizing language. A more reasonable deadline for a cyber incident reporting interim final rule would be somewhere between six months and a year. This is especially true here because the legislation outlines the requirements in quite some detail.

NOTE: These same provisions were included in the recently passed HR 2471, the Consolidated Appropriations Act, 2022 in Division Y—Cyber Incident Reporting for Critical Infrastructure Act of 2022. (Added 3-11-22, 09:30 EST)