• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

The Cybersecurity Incident Reporting Requirements Fail in the Latest Version of the National Defense Authorization Act

December 9, 2021 By Kim Peretti and Lance Taubin

On December 7, 2021, the House of Representatives passed the National Defense Authorization Act for Fiscal Year 2022 (NDAA), which notably excluded any cybersecurity incident reporting requirements. In September, the House approved a previous version of the bill that included a mandatory breach notification provision that would have required the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to develop and establish standards, procedures and timelines for critical infrastructure owners and operators to report cybersecurity incidents, including a requirement to report such incident as early as 72 hours after confirming such cybersecurity incident. Such a requirement would have been a broad expansion of the government’s involvement in cybersecurity for the private sector.

In November, the Senate Homeland Security and Governmental Affairs Committee put forward an amendment, that would not only require critical infrastructure owners and operators to report cybersecurity incidents to CISA within 72 hours, but also direct state and local governments, businesses with over 50 employees and other organizations to notify the federal government within 24 hours following a ransom payment, in connection with a cybersecurity incident. Neither such reporting requirement appeared in the NDAA, which is expected to be passed by the Senate shortly.

While it is unclear why such cybersecurity incident reporting provisions were excluded, reports suggest that some lawmakers felt that imposing such requirement on private entities, some of which are small businesses, would be overly burdensome. Specifically, there appears to have been significant pushback and a desire (by some Senators) to limit the 24-hour ransomware reporting provision to critical infrastructure owners or operators, not other businesses or organizations.

The NDAA does, however, include a number of cybersecurity initiatives, such as:

  • National Cyber Exercise Program: the NDAA authorizes CISA to establish a National Cyber Exercise Program designed to simulate and conduct tabletop exercises of a partial or complete shutdown of a government or critical infrastructure network by a cyber incident. Such Program will enable CISA to evaluate the readiness of such cyber incident response system.
  • CyberSentry: a cybersecurity program allowing CISA to enter into strategic, voluntary partnerships with critical infrastructure entities that own or operate industrial control systems and provide such entities with cyber threat monitoring and detection.

Moving forward, both Republicans and Democrats have expressed a desire to pass cybersecurity incident reporting legislation, as a stand-alone bill or possibly, as part of another big legislative package. At this time, it appears that the window for including such legislation in the NDAA is just about closed.

Filed Under: Cybersecurity, Data Breach, Ransomware, Security Breach

About Kim Peretti

A former DOJ cybercrime prosecutor and former director of PwC's cyber forensics group, Kim delivers top of the line cyber risk management and information security counsel to her clients. As co-leader of our Privacy, Cyber & Data Strategy Team, Kim is recognized by select publications and is frequently quoted by the media.

[Read Bio]

About Lance Taubin

Lance Taubin is an associate with Alston & Bird’s Privacy, Cyber & Data Strategy team. He advises clients on data privacy and cybersecurity compliance and enforcement, managing cyber risk, breach investigations, and response and transactional diligence.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • Recent Exploits of Blockchain Bridges Highlight Need for Cybersecurity in Crypto and Risk of Liability
  • Germany’s Cyber Threat Landscape – Top 3 Lessons from the BKA Situation Report
  • CPPA Board Opposes American Data Privacy and Protection Act
  • SEC Settles Enforcement Actions with Broker-Dealers and Investment Advisors for Identity Protection Deficiencies
  • UK Information Commissioner’s Office Issues Warning on Ransomware Payments
Copyright © 2022 · Alston & Bird · All Rights Reserved. Privacy.