- September 8, 2021
The United States House Committee on Homeland Security recently released a draft of the so-called Cyber Incident Notification Act. The act would mandate that some critical business owners tell the government when they have been hacked. In addition, a Cyber Incident Review Office (CIR office) will also be established within the Cybersecurity and Infrastructure Security Agency (CISA), and it will require all the critical business owners and operators to report cybersecurity incidents to the CIR office.
This article will dive deeper into the intricacies of the Cyber Incident Notification Act of 2021 and explain its implications on small to midsize businesses that service the federal government.
What is the Cyber Incident Notification Act of 2021?
In June, the U.S. House of Representatives circulated a Cyber Incident Notification Act (CINA) 2021. The bill will speed up the reporting of data breaches. It would require all the federal agencies and organizations considered critical to US national security to report the cybersecurity incidents to the CISA within 24 hours.
Previously, companies with ties to the government were not required to report any cybersecurity attack to the government under federal law. Unfortunately, that means the government would have remained unaware of any digital threats to national security. This bill would ensure government awareness of cybersecurity incidents that may become a threat to the nation.
The bill will also include liability protection for attacked organizations, providing immunity against potential lawsuits from disclosing cybersecurity attacks.
Who is affected by the bill?
Although the full description of covered entities has not been drafted or released yet, “the umbrella will cover the following (taken from the full bill hosted on Senator Roy Blunt’s website): federal contractors, operators or owners of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services.”
Also, federal contractors who violate the act would be responsible for other penalties outlined in the bill, including potential removal from the Federal Contracting schedule, determined by the Administrator of General Services.
What type of incidents must be reported?
Incidents that fall under the following categories must be reported:
- Cybersecurity incidents that involve or are estimated to involve a nation-state actor.
- Cybersecurity events or incidents that involve or are estimated to involve a transnational organized criminal group.
- Cyber incidents that will most likely result in significant national consequences.
- Cyber incidents that involve ransomware attacks.
- Incidents that have the potential to affect the U.S. Cybersecurity and Infrastructure Security Agency (CISA) systems.
- Incidents that result or are estimated to harm U.S. foreign relationships, national security interests, or economic efforts.
- Cybersecurity events or incidents that result or are estimated to result in potential harm to the public health and safety of American lives and properties.
What should be mentioned in the cybersecurity incident reporting, and what will be its format?
When reporting a cybersecurity incident, data breach, or cyber threat, organizations are required to cover the following details:
- A description of the threat: This will contain information regarding the affected system and network that were breached. Also, it will include the date and time of intrusion.
- Details of activities and techniques used: these details will include the tactics, techniques, and procedures (TTP) the threat actor used for the intrusion.
- Information that may help identify the attack at the early stage: This will include any specific domain or software used or any internet protocol addresses.
- Actions Taken: Any actions taken by your organization to control and limit the threats of attack.
- Contact information of your organization: This will be used by the Federal agency to contact you.
After any intrusion or cyber threat confirmation, organizations will be required to report the incident to CISA within 24 hours of the breach with all the information mentioned above. Once you report the incident to CISA, it will have 48 hours to contact you regarding the intrusion and take the necessary steps to offer support as needed.
What will be the consequences of violating the Cyber Incident Notification Act?
The act has three tiers of penalties for entities that fail to report any cybersecurity incident to the CISA:
- Federal agency: shall be referred to the Inspector General for the agency and shall be treated as a matter of urgent concern.
- Government contractors: penalties determined by the Administrator of the General Service Administration, which may include removal from the Federal Contracting Schedules.
- Organizations without government contracts: financial penalties maxing out at 0.5% of the organization’s gross revenue from the prior year for each day the violation continued or continues.
So, what’s next?
The final version of the bill may take some time to release, but it will surely help raise the cybersecurity standards. It will also encourage organizations to create a robust and robust cybersecurity environment to protect the integrity and privacy of customers and the nation. The bill will ensure the safety of people, national security, and the government from malicious attacks.