House Passes Cyber Incident Reporting Requirement as Part of Omnibus Spending Bill

House lawmakers have passed a piece of legislation that would require private companies to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency as part of an omnibus spending bill.

Leaders from the House Homeland Security Committee said in a press release that reporting attacks to CISA would give the government a clearer picture of the cyber landscape and allow authorities to stop malicious campaigns and spread better information about cyber threats to the private sector. The bill requires critical infrastructure entities to report an incident to CISA within 72 hours and report ransomware payments within 24 hours, Nextgov reported Thursday.

Should the incident reporting bill be signed into law, CISA will undergo a rulemaking process to solidify reporting rules. The process could take over three years before its provisions become enforceable, and some members of the industry are starting to challenge some aspects of the bill.

Henry Young, policy director for the software industry advocate group BSA, said the 72-hour rule should only go into effect once a company determines that a cyber incident had indeed occurred. He noted that BSA will be willing to work with the Department of Homeland Security to define what incidents should be covered by the bill.

The cybersecurity bill was included in Congress’ omnibus spending bill, which is already about five months late. According to the White House, the funding bill would support economic recovery and restore the United States’ position as a global leader. The administration has urged Senate to support the funding legislation and have it signed by President Joe Biden without delay.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now