Review - S 2407 Introduced – Cyber Incident Notification

Last month, Sen Warner (D,VA) introduced S 2407, the Cyber Incident Notification Act of 2021. The bill would establish CISA as the Federal agency to receive reports of cyber intrusions. It would also require CISA to initiate rulemaking to establish which private sector entities would be required to submit cyber intrusion reports. The bill would add five new sections to the Homeland Security Act of 2002 as the new Subtitle C, Cybersecurity Intrusion Reporting Capabilities. No monies are authorized in the bill to support the programs established.

The bill would designate CISA as the federal agency responsible for receiving “cybersecurity notifications from other Federal agencies and covered entities in accordance with this subtitle.” CISA would have 240 days to establish ‘Cybersecurity Intrusion Reporting Capabilities’ that would allow CISA to accept classified and unclassified ‘submissions and notifications’. It would require CISA to promulgate regulations to support that ‘reporting capability’, including defining the two key terms: ‘covered entity’ and ‘cyber intrusion’.

This bill was crafted the staff of the Senate Select Committee on Intelligence and was cosponsored almost exclusively by members of that Committee. Unfortunately, that bipartisan support does not extend to a single sponsor from the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. This means that the bill is unlikely to receive consideration in that Committee.

The broad and largely undefined reporting requirements are sure to draw objections from most business organizations, especially given the civil penalty provisions included in the bill. That opposition would be sure to draw support from Senators on both sides of the aisle. This bill would probably not draw enough support to be able to pass cloture if the bill did move to the floor of the Senate.

For more details on the provisions of this bill, see my article at CSFN Detailed Analysis - https://patrickcoyle.substack.com/p/s-2407-introduced - subscription required.