Cyber incident reporting requirements for critical infrastructure companies and other federal cybersecurity provisions were left out of this year's NDAA.
