Cyber incident
reporting
Senators Introduce NDAA Amendment Concerning Enforcement of Cyber Incident Reporting Requirement
A group of senators has introduced an amendment to the annual National Defense Authorization Act instructing the director of the Cybersecurity and Infrastructure Security Agency to decide which government agency should enforce the rule requiring private industry to report cybersecurity incidents to the government.
According to the amendment document, the CISA director will have the power to identify the agency that can best perform enforcement activities. The director must use the rulemaking process to select the enforcing body. The lawmakers said the measure is based on the Cyber Incident Reporting Act and the Federal Information Security Modernization Act of 2021, Nextgov reported.
The amendment also exempts entities related to the Domain Naming System from complying with the incident reporting requirement. The CISA director will use the rulemaking process to determine which entities fall under this exemption.
The changes would also give the CISA chief and government agencies more time to propose and finalize the rule, which will be due three-and-a-half years after the law’s enactment.
The amendment comes after CISA Director Jen Easterly called for more fines to compel private companies to report cyber incidents. Sen. Mark Warner agreed with Easterly and added that the incident response legislation recently passed by the House of Representatives lacks enforcement provisions.
The amendment was sponsored by Sens. Warner; Rob Portman, Gary Peters, Susan Collins, and Kyrsten Sinema.
Category: Cybersecurity