The compromise fiscal year 2022 defense bill does not include cyber incident reporting requirements, setting back a major bipartisan push to have critical infrastructure operators report cyber attacks to the government.
The NDAA released by House and Senate negotiators yesterday leaves out a House-passed provision to establish a Cyber Incident Review Office at the Cybersecurity and Infrastructure Security Agency. The language would have allowed CISA to set a 72-hour cyber incident reporting requirement for companies operating in the 16 U.S. critical infrastructure sectors.
The report on the compromise bill did not provide an explanation for cutting the House provision. But Democrats blamed Senate GOP leaders, including Minority Leader Mitch McConnell (R-K.Y.) for the exclusion. A McConnell aide did not respond to a request for comment.
The language was put forward by cybersecurity leaders on the House Homeland Security Committee, including Chairman Bennie Thompson (D-Miss.), Ranking Member John Katko (R-N.Y.) and Rep. Yvette Clarke (D-N.Y.), chairwoman of the cybersecurity, infrastructure protection and innovation subcommittee.
In a statement, Thompson and Clarke blamed the language’s absence on “dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today — well past the NDAA deadline.”
“This result is beyond disappointing and undermines national security,” they said. “We had hoped to mark the one-year anniversary of the discovery of the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk. Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA.”
But the Senate failed to come to an agreement on adding amendments — including the incident reporting measure — to its version of the NDAA, resulting in the compromise agreement released by the House and Senate today.
Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) also blamed Senate Republican leaders for blocking the measure.
“We need urgent action to tackle the serious threat posed by cyber-attacks, and by blocking our bipartisan reforms, Senate Republican leaders are putting our national security at risk,” Peters said in a statement. “I’ll continue leading efforts to enact these critical, commonsense reforms and ensure our nation has a comprehensive strategy to fight back against cybercriminals and foreign adversaries who continue targeting our networks.”
Democratic aides pointed the finger at Sen. Rick Scott (R-Fl.) for delaying the deal on the incident reporting language over concerns about a requirement in the HSGAC-passed language for all businesses with more than 50 employees to report ransomware hacks to CISA. Scott had previously offered an amendment to the language to reduce the scope of the reporting to critical infrastructure entities.
A spokesman for Scott said the claim that he held up the amendment is “patently false.”
“Senator Scott fought to ensure the scope of this new cybersecurity incident reporting law would be limited to critical infrastructure and not burden America’s small businesses,” the spokesman said. “After hearing late on Monday night that a deal had been reached to change the amendment and make Senator Scott’s proposed change, which was supported by CISA, we were surprised and disappointed to see it left out of the NDAA language released by the House.”
An aide to the House Armed Services Committee said the language was not submitted in time to include it in the compromise NDAA.
Thompson and Clarke said they are still “fully committed to working across the aisle and with the Senate to find another path forward.” They said Speaker Nancy Pelosi (D-Calif.) has also “communicated her continued interest in working with us to get cyber incident reporting legislation to the President’s desk.”
Meanwhile, the Department of Homeland Security is already setting incident reporting mandates for many companies in the transportation sector. In recent months, the Transportation Security Administration has levied incident reporting requirements and other cybersecurity rules on oil and gas pipelines, railroads and the aviation sector.
GOP lawmakers have pushed back on some of TSA’s mandates, including the requirements put on oil and gas pipelines. Portman and other congressional Republicans have called on the DHS Inspector General to investigate how TSA developed those requirements. They argue the rules were rushed out without enough input from industry experts and other stakeholders.
Lukewarm cyber reception
The NDAA has become a popular bill for moving cybersecurity legislation in recent years. But this year’s compromise bill also left out a House-passed provision that would have set a five-year term for the CISA director.
And it excluded House-passed language requiring the development of a “cyber threat information collaboration environment” by DHS.
Still, the compromise bill did include some notable cybersecurity provisions, including one authorizing CISA to establish a National Cyber Exercise Program designed to simulate the partial or complete shut down of the a government or critical infrastructure network by a cyber incident.
It also authorizes CISA to establish a “CyberSentry” program to provide optional continuous monitoring and detection services to critical infrastructure operators that own or operate industrial control systems.
The bill also includes a measure authorizing DHS to “assess the feasibility and advisability of entering into voluntary public-private partnerships with internet ecosystem companies to facilitate actions by such companies to discover and disrupt the use of the platforms, systems, services and infrastructure of such companies by malicious cyber actors.”
Such a program would likely complement the “Joint Cyber Defense Collaborative” CISA established in August involving several internet service providers, cloud companies and cybersecurity firms.
Meanwhile, HSGAC had also advanced a bill reforming the Federal Information Security Modernization Act of 2014. Notably, the bill would have required agencies to report cyber attacks to CISA, and federal contractors report hacks to their awarding agency. Lawmakers hailed the bill as codifying the central role of CISA in federal cybersecurity efforts.
But the FISMA reform bill did not have a counterpart pass through the House and it was not able to advance as an amendment to the Senate’s NDAA.