Four US Senators have introduced a new bipartisan amendment to the 2022 National Defense Authorization Act (NDAA) that will force critical infrastructure owners and operators as well as civilian federal agencies to report all cyberattacks and ransomware payments to CISA.
Two Democrats — Gary Peters and Mark Warner — worked alongside two Republicans — Rob Portman and Susan Collins — to push the amendment, which they said was based on Peters and Portman’s Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021.
The amendment only covers confirmed cyberattacks and not ones that are suspected. But it forces all federal contractors to report attacks. There is no fine component in the amendment, one of the many provisions senators had been fighting over for months.
Victims organizations will have 72 hours to report attacks, another hotly debated topic among government cybersecurity experts. Some wanted it to be within 24 hours and others said it should be within a week.
But the 72 hour limit does not apply to all organizations. Some — which the senators said included businesses, nonprofits and state and local governments — would be forced to report ransomware payments to the federal government within 24 hours of payment being