Cyber Incident Reporting on Critical Infrastructure 

Following SolarWinds & Colonial Hacks, security officials Introduced draft legislation on cyber incident reporting. Learn how it may affect your organization

This summer was marked by the attempts to secure critical infrastructure from cyber intrusions, as many federal and IT security specialists report. More specifically, senators and members of federal committees worked on developing legislation in the area of incident reporting. As a result, two long-gestating draft bills were introduced – the Cyber Incident Notification Act of 2021 and the Cyber Incident Reporting for Critical Infrastructure Act of 2022

Both bills seek to address some of the important issues arising from recent cyberattacks that affected U.S. critical infrastructure. Both aim to replace the voluntary model of incident reporting with a mandatory reporting regimen. Below we lay out the specific characteristics of the draft bills and the main expectations from the future legislation. 

Obligation to Report Critical Cyber Incidents

In June 2021, bipartisan lawmakers formally introduced a draft bill officially cited as a Cyber Incident Notification Act of 2022. The bill would require federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions to a Cyber Incident Review Office (CISA) within 24 hours of their discovery. 

On August 27, 2021, the U.S. House Homeland Security Committee released a similar  draft bill known as the Cyber Incident Reporting for Critical Infrastructure Act of 2021. The bill would amend the Homeland Security Act of 2002 and establish the Cyber Incident Review Office (CIR Office) within the CISA, and obligate critical infrastructure owners and operators to report cybersecurity incidents to this office.

Triggers for Mandatory Incident Reporting 

The legislation for mandatory incident reporting was nurturing for quite a while. However, the recent severe hacker attacks on the US critical infrastructure companies escalated governmental activity in this area. 

The much-talked-of incidents, in this regard, are the hack of IT management firm SolarWinds that occurred in December 2020 and the ransomware attack on the Colonial Pipeline company on May 6, 2021. The first incident compromised hundreds of private companies; the second caused fuel shortages along the Atlantic seaboard. No wonder  these cybersecurity events became “wake-up calls” for strengthening preparedness to new cybersecurity issues. 

Notably, the bills may also be considered as a federal response to the president’s recent Executive Order on Improving the Nation’s Cybersecurity published on May 12, 2021. The order aimed to mandate national cybersecurity changes by focusing on critical infrastructure owners and the federal supply chain. It also suggested the development of a mandatory reporting mechanism for severe cyber incidents. 

Specifying the Bills’ Requirements 

Organizations that have already reviewed the draft bills may have more questions than answers because some of the bills’ requirements are vague. For instance, many organizations might wonder if they would belong to the category of the covered organizations, what incidents they would need to report, or what is the reporting procedure and timeline. 

To specify the requirements and procedures regarding cybersecurity reporting, the Director of the Department of Homeland Security must publish an interim rule. The specifications will cover, among others, defining which owners and operators of critical infrastructure are “covered entities” and the types of “cybersecurity incidents” that would trigger reporting obligations. 

Who is Affected 

The bills commonly target federal agencies, government contractors, and critical infrastructure owners and operators. The targeted organizations are commonly referred  to as the covered organizations; however, the full definition of the covered organizations has not been defined yet. It is known that the definition must include “at a minimum, federal contractors, owners or operators of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services.” Thus, organizations are now awaiting clarifications on their status in future incident reporting legislation. 

What Incidents Would be Reportable

The definition of reportable incidents is also vague and requires more precise definitions. According to the Cyber Incident Notification Act of 2021, security incidents that warrant notifications are those that:

  • Involve or are believed to involve a nation-state, Advanced Persistent Threat actor, or a transnational organized crime group. 
  • Harm U.S. national security interests, foreign relations, or the U.S. economy and are likely to be of significant national consequence.
  • Has the potential to affect CISA systems.
  • Involve ransomware.

The Cyber Incident Reporting for Critical Infrastructure Act of 2021 has a broader definition of “cybersecurity incidents” that are expected to be reportable. Mainly,  a reportable cybersecurity incident shall, at a minimum, include one of the following:

  • Unauthorized access to an information system (IS) or network that leads to loss of confidentiality, integrity, or availability of such IS or network.
  • Disruption of business or industrial operations due to particular kinds of hacker attacks against an IS or network or an operational technology system or process.
  • Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through a cloud service provider, managed service provider, other third-party data hosting provider, or supply chain attack.

As such, critical infrastructure owners and operators and other covered organizations must be highly attentive to any suspicious activity in their systems. 

To Whom to Report the Incidents

As the Cyber Incident Notification Act states, covered organizations would report cyber incidents and intrusions to CISA. The requirement is pretty straightforward; however, the same cannot be said for the Cyber Incident Reporting for Critical Infrastructure Act of 2021. The second bill aims to establish a special CIR office which, alongside the function of receiving the reports, would have the following responsibilities: 

  • Receive, aggregate, and analyze submitted reports related to covered cybersecurity incidents.
  • Assess the effectiveness of the covered organization’s security controls. 
  • Identify techniques, tactics, and procedures adversaries use to overcome such controls.
  • Facilitate timely information sharing between relevant critical infrastructure owners and operators and, as appropriate, the intelligence community.
  • Conduct reviews of “significant cyber incidents” and identify ways to prevent or mitigate similar incidents in the future.
  • Publish public reports that describe aggregated anonymous observations and recommendations based on cyber incident reports.
  • Proactively identify opportunities to leverage data on cybersecurity incidents to enable and strengthen cybersecurity research by academic institutions and private sector organizations.

How to Report the Incidents

While organizations are still waiting on incident reporting specifications, some minimum reporting requirements are represented in the Cyber Incident Notification Act. Thus, it is expected that the incident reports will include:

  • A clear and concise description of the incident. 
  • Specifications of the systems and networks affected. 
  • An estimated time of when the incident is likely to have occurred. 
  • Information about the exploited vulnerabilities of systems and networks tactics, techniques, and procedures known to have been used by the threat actors. 

In addition to the above mentioned, organizations would be expected to provide any other information that could reasonably help identify the cyber actor. This information includes but is not limited to Internet Protocol (IP) addresses, domain name service (DNS) information, and samples of malicious software. 

All in all, organizations should follow official updates regarding future incident reporting legislation. The most expected updates include the DHS Director’s interim rule, CISA specifications, and the updated NIST standard on incident reporting. The last would consist of guidance on mandatory incident information sharing and is expected to be published later this year (2021). 

What if an Organization Fails to Report the Incident?

The failure to report a security incident could attract a financial penalty of up to 0.5% of the organization’s gross revenue or remove organizations from federal contracting schedules. The Cyber Incident Notification Act gives CISA 48 hours to request information about the security incident and respond to the organizations’ reports.

The Cyber Incident Reporting for Critical Infrastructure Act does not include any specific fines for failing to report cyber incidents. However, it states that unreported cybersecurity incidents will result in an official subpoena to discover if the cyber incident belongs to the covered cyber security incidents. 

To encourage organizations to report cybersecurity incidents, the bills include liability protections for breached entities. This measure would protect prudent organizations against potential lawsuits that could arise from disclosing security incidents. It would also allow submitting personal data anonymously when reporting breaches under the Cybersecurity Information Sharing Act of 2015. 

For more detailed information about cyber incident reporting, consult the Planet 9 team. We’ll be happy to assist:



Phone:  888-437-3646

Related Articles:

Roadmap for Ransomware Protection 

Ransomware Hits Critical Infrastructure: Case of Colonial



Leave a Reply