On December 6, 2021, in the Memorandum for the Heads of Executive Departments and Agencies, the Office of Management and Budget took a more aggressive position on strengthening the nation’s cybersecurity posture. Under this memorandum, federal agencies are now mandated to report “major” cyberattacks within one hour of discovery to the Cybersecurity and Infrastructure Security Agency (CISA) and to the Office of Management and Budget (OMB). It also directed that affected agencies update reports within one hour of determining that an already-reported incident is determined to be “major.”
A “major” incident is defined in the Memorandum as either:
- An incident that is likely to result in demonstrable harm to the national security interests, the foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people; or
- A breach that involves personally identifiable information (PII) that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, the foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.
This new approach to heightened cybersecurity requirements squares with other recent federal cyber reporting directives, including:
- Notification of cyber threats from federally regulated banking organizations
- Notification of cyber threats against covered freight railroads, passenger rail and rail transit systems
- Notification of cyber threats against health apps and connected devices that collect or use consumers’ health data
- Notification of cyber threats against designated critical pipeline owners and operators
Additionally, Congress is currently debating new cybersecurity-related legislation for non-federal-agency “covered entities” (the term “covered entities” is not explicitly defined in the bill but directs that the term will be defined through consideration of several factors). The U.S. Senate is in negotiations about a defense policy spending bill (H.R. 4350) that includes definitions of terms such as “covered entity,” “covered cybersecurity incident,” and “cybersecurity threat.” The bill would task the Director of the Cybersecurity and Infrastructure Security Agency (Director) with establishing “reporting timelines for covered entities to submit promptly to the office covered cybersecurity incident reports, as the Director determines reasonable and appropriate based on relevant factors, but in no case may the Director require reporting by a covered entity earlier than 72 hours after confirmation that a covered cybersecurity incident has occurred.”
Not only would this legislation impact reporting requirements, if passed, but it would also provide definitions at the federal level for many terms that are now defined predominantly at the state level. Given the lack of a comprehensive national standard for cybersecurity laws, it will be important to monitor not only how federal lawmakers define relevant terms, but also whether they implement federal reporting timelines in any new legislation.
Other new proposed bipartisan legislation — including the Cyber Incident Notification Act of 2021 — is still working its way through the legislative process. This proposed legislation in response to the attacks against Colonial Pipeline and Solar Winds is still pending and is also designed to help tighten federal cyber security reporting requirements.