Civilian federal agencies and companies in the critical infrastructure space may be looking at a three-day cyber incident reporting window, along with a 24 hour notification window if a ransomware payment is made, should recent cybersecurity legislation make it through the House.
The bill has just cleared the Senate, leaving potentially only one more vote and the signature of president Joe Biden before it becomes law. Impacted companies would face the tighter reporting requirements in cases of “substantial” cyber attacks.
Cyber incident reporting in focus during geopolitical instability
Enjoying a fair level of bipartisan support, the bill cleared its vote in the Senate and now moves on to the House. Cybersecurity issues have always had some level of support from both sides of the aisle, but the situation in Ukraine and the elevated possibility of online attacks from Russia have improved the general attitude toward cybersecurity legislation such as this.
Though the bill would have expansive reach amongst companies that work in critical infrastructure, it would still not apply to most US businesses. The bill primarily gives the Cybersecurity and Infrastructure Security Agency (CISA) a firmer hand with some of the government agencies and federally-attached private infrastructure companies that it already has some involvement with.
The US has yet to see notable cyber attacks from Russia (or partner Belarus), but is making ready as the war drags on and the possibility of an accidental entanglement or an aggressive act by the Ukraine invasion force grows.
Cybersecurity legislation moves on to House vote
The move continues a pattern of cybersecurity legislation that dates back about a year, as the Biden administration has made the improvement of national defenses a priority in the wake of serious ransomware attacks on critical infrastructure companies. Some utilities have already been given shorter cyber incident reporting windows; under NERC CIP standards, electricity companies already have a 24 hour reporting window.
Though the bill is moving quickly toward being passed, some key definitions have yet to be shored up. Namely, exactly what constitutes a “substantial” attack for the purpose of triggering the new cyber incident reporting requirements. CISA will be tasked with developing these exact definitions going forward.
Speed appears to be more important than precision at the moment, however, as concerns about the Ukraine situation mount. Even if Russia continues to refrain from attacking countries outside of Ukraine, the digital world will clearly become part of the battlefield in future conflicts and a top national security consideration. In addition to updating cyber incident reporting requirements, the cybersecurity legislation seeks to modernize the Federal Information Security Management Act (FISMA) and the way in which ransomware attacks specifically are handled by federal agencies and related civilian offices. FedRAMP, the certification program for civilian organizations making use of federal cloud services, would also move from a recommendation to a requirement.