There is growing pressure to create a federal breach reporting requirement, both from within Congress and at the urging of the White House. Lawmakers are developing at least three legislative proposals, each with different timeframes for reporting cyber attacks: a Senate Intelligence Committee draft sets a 24-hour deadline, Senate Homeland Security and Governmental Affairs Committee language calls for CISA to set a deadline of 72 to 168 hours, and the House Homeland Security Committee wants CISA to set a deadline of no less than 72 hours.
CISA Director Jen Easterly, Federal CISO Chris DeRusha, and National Cyber Director Chris Inglis all testified to the Senate Homeland Security and Governmental Affairs Committee, whose chair Gary Peters (D-MI) and ranking member Rob Portman (R-OH) are working on a bill. They each said that the best way to ensure companies report cybersecurity incidents to federal agencies would be to legislate fines. Easterly argued that the subpoena authority in their current bill was “not an agile enough mechanism” to get useful information when it’s needed: both to assist the victim with recovery, and to provide useful intel to others for their protection.
Sources:
- Nextgov: Leading Cyber Officials Favor Fines Over Subpoenas to Enforce Incident Reporting
- CyberScoop: Biden Administration Officials Push Congress to Shape Breach Reporting Mandates
- Federal News Network: Biden Cybersecurity Leaders Back Incident Reporting Legislation as ‘Absolutely Critical’
- Gov Info Security: Senators Debate Cyber Rules for US Critical Infrastructure
- Federal Computer Week: Cyber Officials Look to Toughen up Reporting Requirements