On March 11, 2022, the U.S. Senate passed an omnibus spending bill that includes language which would require certain critical infrastructure owners and operators to notify the federal government of cybersecurity incidents in specified circumstances. The bill previously was passed by the House of Representatives on March 9, 2022. President Biden is expected to sign the bill and has until March 15, 2022, to do so before the current spending authorization expires.
The bill adopts the name of the House Committee on Homeland Security’s “Cyber Incident Reporting for Critical Infrastructure Act” and is a hybrid of previously introduced House and Senate legislation, including the Senate’s unanimously passed Strengthening American Cybersecurity Act, as well as new language. At a high level, the omnibus bill requires certain critical infrastructure owners and operators to report covered cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours, and ransomware payments within 24 hours. In turn, CISA is required to provide reports of such incidents to appropriate federal agencies within 24 hours.
The omnibus language requires CISA to propose rulemaking within 24 months (to be finalized 18 months later) defining important specifics, including what constitutes a covered entity, which cybersecurity incidents must be reported, and the required content of such reports.
The omnibus bill provides broad protection to the content of such submitted reports. Similar to the protections afforded to cybersecurity information voluntarily shared with the federal government pursuant to the Cybersecurity Information Sharing Act of 2015, the bill would:
- limit government use of reports to a cybersecurity purpose (or other very limited purposes);
- prohibit ransomware payment reports from being used to regulate covered entities;
- treat reports as proprietary information;
- exempt reports from Freedom of Information Act and state and local disclosure laws;
- not waive privilege of the reports;
- not treat reports as ex parte communications; and
- protect covered entities from liability for providing information to the federal government.
The omnibus bill provides new and broad protection to cyber incident reports, as well as “any communication, document, material, or other record, created for the sole purpose of preparing, drafting, or submitting such report.” The bill would prevent such information from being presented as evidence or subject to discovery before any federal, state, or local court or regulatory body. Under the omnibus bill, such protections would be limited to information created solely for preparing the report.
The White House issued a statement supporting the omnibus bill, although there exists division within the Administration with respect to the bill. While CISA encouraged its passage, the DOJ criticized the language in the bill for not requiring reports to be submitted to both CISA and the FBI.
Update: On March 15, 2022, President Biden signed the omnibus bill into law.