Today, Rep. Yvette D. Clarke (D-NY), Chairwoman of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, along with Rep. Bennie G. Thompson (D-MS), Chairman of the Homeland Security Committee, Rep. John Katko (R-NY), Ranking Member of the Homeland Security Committee, and Rep. Andrew Gabarino (R-NY), Ranking Member of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee introduced the Cyber Incident Reporting for Critical Infrastructure Act of 2021. This bipartisan legislation would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to establish requirements and procedures for covered critical infrastructure owners and operators to report covered cybersecurity incidents to a new Cyber Incident Review Office, to be established within CISA.
This standalone legislation was also included as a bipartisan amendment to H.R. 4350, the National Defense Authorization Act for FY 2022, which passed the U.S. House of Representatives on September 23.
“From SolarWinds to Colonial Pipeline, JBS, Kaseya, we have seen one devastating cyberattack after another against our nation’s critical infrastructure. After these attacks, we consistently heard that the Federal government – and CISA in particular – needs better situational awareness about how these attacks are happening so that they can help owners and operators defend their networks, and understand long-term trends in adversary behavior,” said Chairwoman Clarke. “That is why I am introducing this bipartisan legislation to require covered critical infrastructure entities to report certain cyber incidents to CISA. This bill would direct CISA to work with stakeholders to craft requirements that are tailored to get CISA the information it needs to understand the cyber threat landscape – while also preserving CISA’s long-standing voluntary partnerships. While I am pleased that this critical legislation passed the House as part of the NDAA last week, more work remains to ensure final passage. I thank Chairman Thompson, as well as Ranking Member Katko and Ranking Member Garbarino, for their months of working closely with me on this critical legislation and I look forward to continuing to work with them to see this bill become law.”
“As our nation continues to be faced with more frequent and increasingly sophisticated cyber attacks, authorizing mandatory cyber incident reporting is a key cybersecurity and national security priority,” said Chairman Thompson. “I applaud Chairwoman Clarke, as well as Ranking Member Katko and Ranking Member Garbarino, for their months of dedicated work to put together this legislation to require covered critical infrastructure entities to report certain cyber incidents to CISA. Once enacted, CISA will be on the path to getting the information it needs to identify malicious cyber campaigns early, gain a greater understanding of the cyber threat landscape, and be a better security partner to its critical infrastructure partners.”
“Cyber threats remain the preeminent national security threat in our lifetime. To combat these threats, we must continue to bolster CISA as the nation’s lead cybersecurity agency, responsible for not only the protection of federal networks, but also our nation’s critical infrastructure,” said Ranking Member Katko. “As I’ve laid out in my five pillars, CISA cannot do this job without increased visibility across the critical infrastructure networks. We look forward to continuing to work with CISA to ensure this effort properly provides the agency with the needed visibility and support to protect our nation’s critical infrastructure and federal networks. Our top priority remains ensuring CISA can effectively carry out its vital role as the quarterback of federal cybersecurity efforts. I thank Chairman Thompson, Subcommittee Chairwoman Clarke, and Subcommittee Ranking Member Garbarino for their partnership and work on this important issue.”
“With cyber incidents on the rise, it’s imperative that we create a mechanism for tracking cyberattacks so CISA can identify cross-sector points of vulnerability and share information to mitigate such risks,” said Ranking Member Garbarino. “I am confident, thanks to the input we received from industry experts in our critical infrastructure sectors, that this bill will not only help us accomplish this goal, but it will do so in a way that accounts for the practical needs of industry. I am proud to join my colleagues in introducing this bipartisan legislation that will go a long way toward helping CISA and critical infrastructure owners and operators respond to and mitigate future cyber threats.”