Critical infrastructure companies including water, wastewater and energy utilities, nuclear reactors and nuclear waste facilities, hospitals and other health care organizations, IT companies such as cloud service providers, the Defense Industrial Base (DIB) and others will be required to report cyber incidents within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA), according to the fiscal year 2022 government funding bill Congress dropped Wednesday.
The $1.5 trillion spending package allocates $2.59 billion for CISA to address cyberthreats facing U.S. critical infrastructure sectors, granting the agency $300 million more than the Biden administration’s budget proposal.
The new cyber incident reporting requirement comes as the U.S. braces for potential malicious cyber activity due to Russia’s invasion of Ukraine and after nearly a year of calls from federal cyber leaders to mandate cyber incident reporting and information-sharing in order to better address and prepare for cyberattacks against the nation’s critical infrastructure sectors.
The requirement also comes just weeks after the Defense Department Inspector General found that some academic and research contractors within the DIB “did not consistently implement cybersecurity controls in accordance with federal and DOD requirements for safeguarding controlled unclassified information (CUI).”
The contractors reviewed by the DOD IG did not enforce multi-factor authentication, mitigate vulnerabilities “in a timely manner,” monitor network traffic or scan for viruses, or disable users after designated periods of inactivity on the network, according to the Feb. 22 report, due to DOD contracting officials’ failure to verify contractors’ compliance with the National Institute of Standards and Technology (NIST) special publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
DOD CISO David McKeown said during a DOD town hall Feb. 24 he wants the DIB to report cyber incidents to the DOD Cyber Crime Center (DC3) within 72 hours. He encouraged defense contractors to “go beyond” reporting requirements due to the pervasiveness of malicious cyber activity and to review NIST special publication 800-171.
“I think we've thwarted a good number of attacks by our intelligence sharing and your sharing of information about things going on in your network,” he said during the town hall.
McKeown’s comments joined the chorus of critical infrastructure sectors and other federal cyber leaders calling for cyber incident reporting requirements over the past year.
FireEye (the cybersecurity firm that discovered the SolarWinds software supply chain breach), the Information Technology Industry Council (ITI), USTelecom and the American Gas Association urged Congress to mandate a flexible 72-hour window for cyber incident reporting during a House Homeland Security Committee hearing in September 2021.
CISA Director Jen Easterly and Executive Director Brandon Wales also repeatedly asked Congress to mandate cyber incident reporting to CISA last year.
“We need the information to engage with the victim, offer our assistance, understand what's happening on their networks and protect other victims,” Wales said during a House Oversight Committee hearing in November 2021. “Even today there is a lot we're doing across the U.S. government to improve our public-private partnership and enable more cyber defensive activities to protecting the homeland. JCDC (the Joint Cyber Defense Collaborative) brought together the critical government agencies and those companies in the private sector that have the best visibility into the cyber ecosystem. These are companies that can take action on a massive scale.”
Easterly’s JCDC initiative, launched in August 2021, aims to improve information-sharing around cyber threats and incidents between private and public sector partners, but Wales said requiring critical infrastructure companies to report incidents is another necessary step.
The government funding bill also dedicates $10.7 billion in funding to the Federal Bureau of Investigation (FBI) and requires the director of the FBI to develop a cybercrime database within the FBI’s Uniform Crime Reporting program.