Cyber incident reporting mandates suffer another congressional setback

Written by
Dec 7, 2021 | CYBERSCOOP

House and Senate negotiators have excluded provisions from a must-pass defense bill that would have mandated many companies to report major cyberattacks and ransomware payments to federal officials.

A compromise version of the fiscal 2022 National Defense Authorization Act (NDAA) released Tuesday leaves out the language, which would set timeframes for when critical infrastructure owners and operators must report major incidents and some companies would have to report making ransomware payments. Supporters of the language ran out of time to reach an agreement on the final phrasing before NDAA sponsors moved ahead on their final compromise bill, a senior Senate aide said.

It’s a big setback for backers of the reporting mandates, as attaching provisions to the annual NDAA has been the path for a number of monumental cyber ideas to become law. Still, some key disputes over the reporting mandate provisions have been resolved, and backers might be able to soon advance the language separately, the aide said.

Bipartisan momentum has built in both chambers about the notion of forcing critical infrastructure owners and operators to report major cyberattacks to the Department of Homeland Security’s Cybersecurity and Infrastructure Security

Read More: