The inclusion of bipartisan critical infrastructure incident reporting legislation in the House’s fiscal 2022 appropriations package shows broad support for getting a mandatory, CISA-led regime across the finish line this year, according to stakeholders.
“The incident reporting provisions that were included in the final bill reflect the agreement between the House and Senate on these issues, but do not reflect any last minute changes from the FBI or others. My understanding is that Congress and the administration writ large are comfortable with the language as written,” Michael Hettinger of Hettinger Strategy Group said.
Hettinger added, “From an industry perspective, what’s included on incident reporting is what’s been on the table for the last few months, and reflect a general consensus position that most believe we can live with.”
The Cyber Incident Reporting for Critical Infrastructure Act is part of a 2,741-page omnibus bill unveiled by the House Appropriations Committee on Tuesday evening that combines 12 appropriations bills to fund government as well as assistance related to the Ukraine crisis.
House members struggled to iron out details all day Wednesday and were expected to pass the measure late in the evening or sometime after midnight. The Senate is expected to take up the bill today but it’s unclear how long it will take to clear that chamber. Government funding expires at midnight Friday and the House was expected to pass another continuing resolution to fund government activities into early next week in case the Senate can’t complete action on the omnibus by Friday night.
The incident reporting language doesn’t address the FBI’s request to change the bill to extend liability protections for entities who directly share incident information with FBI.
Bank Policy Institute president and CEO Greg Baer weighed in on the bill and how it addresses incident reporting.
Baer said, “The legislation being considered today by the House will strengthen U.S. cybersecurity by clearly defining how the private sector and its government partners should share information following a cyber incident. Importantly, it also helps bring other critical infrastructure sectors in line with many of the same best practices and standards applied to banks for over twenty years.”
“Increased information sharing will better protect our economy and critical infrastructure by enabling front-line cyber defenders to prevent and deter threats from nation-states and organized crime, “Baer said. “BPI appreciates the thoughtful and open discussions with Congress on this important national security issue and strongly supports the inclusion of these provisions championed” by leaders from the House and Senate Homeland Security committees.”
Baer said, “We encourage both the House and Senate to promptly forward this legislation to the President’s desk to be signed into law.”
Mark Montgomery of the Foundation for Defense of Democracies and a leader of the Cyberspace Solarium Commission said, “I think the Incident Reporting provision being added to the Appropriations bill is good news. The language is very very close to the Senate version and should pass smoothly. This bill properly prioritizes the leadership role of CISA in working the public-private collaboration, and specifically information sharing. The FBI plays a crucial, supporting role in this effort.”
Megan Brown, a partner at the Wiley law firm, expressed concern over implementation challenges.
She said, “On the legislation, DHS will have its hands full developing these regulations because there are so many companies in each critical infrastructure sector. Many companies are asking if they will be covered and it isn’t clear; if they take a broad approach it could cover huge amounts of the U.S. economy and swamp the agency with reports. DHS is likely to have some very tough lines to draw.”
Brown said, “I’m not surprised the FBI’s preferred language didn’t make it in because this bill has been in process for a while and heavily edited over months so I think time ran out as the drafters have been eager to get this done. Though, I do wish the liability language had been expanded, as FBI wished.”
As part of the appropriations package, the CISA will receive $2.6 billion to fully fund its fiscal 2022 activities.
Montgomery said, “The CISA Appropriations look excellent -- $2.59 billion dollars is very close to what CSC recommended and a big increase over the President's request of $2.1 billion. Specific programmatic increases were consistent with our CSC recommendations in numerous areas, including Sector Risk Management Agency responsibilities, Cyber Sentry program increases, Vulnerability Management Infrastructure funding, Hunt Incident Response Team growth, National Critical Functions assessment, and the CETAP K-12 education program as six examples.”
Hettinger said, “Overall, the funding for CISA is consistent with what I was expecting and should provide the resources necessary to continue to ramp up our cyber capabilities. One area that seems to have taken a hit was related to the cyber reserve, the $750 million request for addressing the SolarWinds incident that was spread out among the eight agencies that were most impacted by that. Looking at the final omnibus agreement I saw a number of agencies where the final funding for SolarWinds remediation and/or the cyber reserve came in below what was requested or expected.”
“Separately, it is disappointing to see funding for the [Technology Modernization Fund] zeroed out in the final bill. Despite the $1 billion in TMF funds that were provided last year via the American Rescue Plan Act of 2021, we know TMF demand exceeds funding. TMF has been a critical enabler of zero trust modernization projects and I continue to believe Congress needs to fund it at greater levels than they have to-date,” Hettinger said. -- Sara Friedman (firstname.lastname@example.org)