Review - S 3600 Cyber Incident Reporting Provisions

Last week, the Senate passed S 3600, the Strengthening American Cybersecurity Act of 2022. Title II of that bill is the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The seven sections of that title outline the cyber incident reporting program to be established by CISA. It establishes CISA as the action agency for the receipt, processing and sharing of information provided in such reports and establishes a 72-hour reporting standard for covered cyber incidents and a 24-hour reporting standard for making ransomware payments. It also provides CISA 42-months to complete a rulemaking implenting these requirements.

Commentary

 

While a mandatory reporting requirement is long overdue, the reality is that even if this bill were to pass tomorrow, the reporting process will still be years in the making. The rulemaking process is lengthy, with the 24-month NPRM requirement and 18-month final rule publication requirements pushing the process out to three and a half years (plus what ever effective-date delay is included in the final rule) before process goes live. And that is ‘IF’ CISA is able to comply with those time constraints.

 

Congress gave DHS six months to stand up the Chemical Facility Anti-Terrorism Standards (CFATS) program under an interim final rule. That deadline was essentially met and DHS included an NPRM that was not required by the authorizing language. A more reasonable deadline for a cyber incident reporting interim final rule would be somewhere between six months and a year. This is especially true here because the legislation outlines the requirements in quite some detail.

 

For more details about the specific requirements in the legislation, particularly for the rulemaking, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-3600-cyber-incident-reporting-provisions   - subscription required.