House Passes NDAA Without Cyber Incident Reporting Legislation

uschools/istockphoto

The bill still includes what the House Armed Services Committee referred to as the widest empowerment of CISA since SolarWinds.

The National Defense Authorization Act for 2022 moved closer to becoming law but does not include cybersecurity incident reporting legislation lawmakers had been negotiating all year.

"There were intensive efforts to get cyber incident reporting done but ultimately the clock ran out on getting it in the NDAA,” House Homeland Security Committee Chairman Bennie Thompson, D-Miss and Rep. Yvette D. Clarke, D-NY, who chairs the committee’s panel on cybersecurity, said in a joint statement Tuesday.

The House on Tuesday passed the NDAA conference report—language House and Senate Armed Services Committee leaders agree on that reconciles versions of the bill from each chamber. The next step is a vote on the conference report by the Senate. 

The incident reporting provision would have required private sector entities to report any incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours, and ransomware attacks within 24 hours. It was included in the initial House-passed legislation but—along with an update of the Federal Information Security Modernization Act—did not make it through the Senate’s amendment process and was ultimately left off the conference report.    

“There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today – well past the NDAA deadline,” Thompson and Clark said. “This result is beyond disappointing and undermines national security. We had hoped to mark the one-year anniversary of the discovery of the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk. Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA.”

Not everyone loved the bipartisan incident reporting provision. Sen. Rick Scott, R-Fla., reportedly requested changes that would limit the reporting requirements to certain critical infrastructure entities. But a spokesman for the senator said he was expecting those changes to be made and expressed disappointment that the provision was removed entirely. 

Another component not entirely pleased with the incident reporting provision was the FBI, which warned that leaving the bureau out of the reporting loop would be detrimental.  

The annual Defense Authorization Act still “initiates the widest empowerment and expansion of CISA through legislation since the SolarWinds incident,” according to a summary of the bill released by the House Armed Services Committee Tuesday

The bill gives CISA added responsibilities around identifying threats to industrial control systems, and removing cybersecurity vulnerabilities while establishing voluntary partnerships with industrial control system and internet ecosystem companies. 

It also includes legislation that would direct the Department of Homeland Security to issue grants to cybersecurity-related companies in Israel as long as they were part of a joint venture with a corresponding U.S. entity.