Skip to main content

The fiscal year 2022 appropriations bill approved by Congress last week includes the text of long-debated legislation that will require certain critical infrastructure owners and operators to promptly report cyber incidents to DHS’ Cybersecurity Information and Security Agency (CISA).

The Cyber Incident Reporting for Critical Infrastructure Act was included as Division Y of the omnibus appropriations bill that will fund the federal government for the balance of the 2022 fiscal year. Earlier this month the incident reporting measure had been approved by the Senate as part of a larger package of cyber legislation, and as concerns about cyberattacks related to the war in Ukraine gave the proposal increased momentum on Capitol Hill.

The incident reporting provisions will require covered critical infrastructure owners and operators to report to CISA within 72 hours of a reasonable belief that they have experienced a cyberattack or within 24 hours of making a cyber ransom payment. The measure contains limits on how the information contained within reports could be used and will allow CISA to subpoena information about cyberattacks that are not reported pursuant to the legislation.

The language does not identify water systems as critical infrastructure entities that will be subject to the reporting requirements, but CISA will be charged with defining which critical infrastructure entities are covered through rulemaking. CISA will be required to propose a rule within 24 months of enactment of the law, and to finalize the rule within 18 months of the proposal. Water systems and other stakeholders will have an opportunity to comment, but it is likely that at least some major drinking water systems will be covered by the reporting requirements, particularly if there is a belief that a successful cyberattack against them could lead to significant public health or economic consequences.

The legislation directs CISA to provide certain entities, including sector Information Sharing and Analysis Organizations, with “timely, actionable, and anonymized reports” about cyber incidents and trends. CISA will also have to enhance the quality and effectiveness of its information sharing and coordination efforts with these entities.