Bipartisan Senators Introduce the Cyber Incident Notification Act of 2021

Specifically, if passed, the Act would require federal agencies, federal contractors, owners and operators of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services (collectively called covered entities) to report potential or actual cybersecurity intrusions to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of “confirmation” of the intrusion. The legislation also would require that until a cybersecurity intrusion is mitigated, or any follow up investigation is completed, a covered entity must submit any new cybersecurity threat information that it discovers to the CISA within 72 hours. Notably, the Act defines the term “Federal Contractor” as “contractors and subcontractors (at any tier) of the United States Government.” Thus, like many other recent cybersecurity initiatives, the Act would impact the most companies in the federal supply chain. The Act will not apply to subcontractors that hold only services contracts to perform housekeeping or custodial services, or contracts to provide goods or services unrelated to information technology below the micro-purchase threshold.

The Act would provide some welcome protections. The Act states that cybersecurity notifications provided by covered entities to the CISA shall be exempt from disclosure under the Freedom of Information Act (FOIA).  Additionally, the Act states that such information shall not be admitted as evidence in any civil or criminal action or subject to any subpoena, unless the subpoena is issued by Congress for oversight purposes. These provisions may further motivate federal contractors to comply with the Act’s requirements.

The Act also includes enforcement provisions. The Act states that if a Federal Contractor violates the requirements of the Act, the Federal Contractor shall be subject to penalties to be determined by the Administrator of the General Services Administration, which may include removal from Federal Contracting Schedules. The Act also stated that covered entities that do not hold federal contracts shall be subject to financial penalties equal to 0.5 percent per day of the entity’s gross revenue from the prior year.

Although the Act includes the high-level initiatives discussed above, it is silent on many important details. In this regard, within 270 days of its enactment, the Act would require that the Secretary of DHS acting through the Director of the CISA promulgate an interim final rule. The Act states that the interim final rule shall define important terms such as “cybersecurity intrusion,” and shall provide further guidance on when the reporting obligations would be triggered (for example, when a cybersecurity intrusion or potential cybersecurity intrusion would be considered confirmed). The interim final rule would also include details regarding the specific information that covered entities would need to include in their reports. The Act also states that the interim final rule shall address whether a covered entity will be required to report a cybersecurity intrusion that it is aware of even if the cybersecurity intrusion does not directly impact the networks or information systems owned or operated by the covered entity. Thus, the final rule could put entities that provide incident response services in a difficult position if they are required to report potential or actual cybersecurity intrusions that they become aware of through their federal contractor clients.  

This legislation is yet another example of the increased prioritization of cybersecurity beyond Department of Defense agencies, which are transitioning to the CMMC model, as we have reported on previously. Given its broad bipartisan support, contractors and subcontractors throughout the federal supply chain should ensure that they are prepared to report and respond to potential and actual cybersecurity intrusions.