Good News on Cyber Incident Reporting Bill

min read

Congress included cyber incident reporting legislation in its FY22 appropriations bill that recently became law. However, the legislation focuses solely on entities in the well-established "critical infrastructure" sectors, which exclude higher education.

On March 15, President Biden signed the Consolidated Appropriations Act of 2022 into law, ensuring the funding of the federal government through the remainder of the 2022 fiscal year (FY22). In addition to accomplishing that purpose, the bill covers other issues on which Congress had achieved bipartisan agreement, such as cyber incident reporting legislation. Fortunately, the reporting measure that passed includes important changes from similar legislation that almost became law late last year as an amendment to the National Defense Authorization Act (NDAA). The failed NDAA amendment would have pulled higher education into a cyber incident reporting regime that the Cybersecurity and Infrastructure Security Agency (CISA) would be directed to develop as a consequence of the legislation. The incident reporting legislation that passed, however, focuses on organizations that fall under the U.S. Department of Homeland Security's long-established "critical infrastructure" sectors, which exclude higher education.

Last October, when I wrote about the major cyber incident reporting bills before Congress, I noted that the congressional homeland security committees were proposing legislation that targeted the DHS critical infrastructure sectors. However, I also discussed a bill from the Senate Intelligence Committee that would expand the scope of covered entities to include almost all federal contractors, with "federal contractor" defined to include virtually all organizations that have an agreement with a federal agency.Footnote1 Higher education did not have much reason to be nervous about the Senate Intelligence Committee bill at the time since the Homeland Security committees had jurisdiction over the issue and their own bills to address it. That changed as the FY22 NDAA process neared completion in late November 2021.

Congress views the NDAA each year as "must-pass" legislation, so it often serves as a vehicle to get other, non-defense measures into law. With this in mind, the Senate Homeland Security and Government Affairs Committee (Senate Homeland Security Committee) sought to attach its Cyber Incident Reporting Act (CIRA) of 2021 as an amendment to the Senate's version of the NDAA, in the hope that it would pass the Senate and survive into the final, compromise version of the NDAA negotiated with the House of Representatives. Between its original introduction and transition into a proposed NDAA amendment, however, the Senate Homeland Security and Intelligence Committees appeared to have struck a deal because CIRA had come to include the "federal contractor" requirement and definition from the Senate Intelligence reporting bill that would, if adopted, pull virtually all colleges and universities into required cyber incident reporting to CISA, under terms to be determined ultimately by CISA.Footnote2

Fortunately, the Senate passed its version of the FY22 NDAA in early December without including CIRA,Footnote3 allowing higher education to breathe a sigh of relief. EDUCAUSE and other higher education groups were convinced that this reprieve was only temporary. We were almost certain that the Senate Homeland Security Committee would seek to attach CIRA to another "must-pass" piece of legislation as soon as it could after Congress returned from its winter break. The legislation would give CISA a couple of years to establish regulations implementing CIRA, so higher education wouldn't face an as-yet-unknown set of reporting requirements for an as-yet-unknown range of covered incidents for some time. However, it seemed inevitable that colleges and universities would eventually find themselves trying to comply with whatever reporting regime CISA put together.

The Consolidated Appropriations Act of 2022 presented the Senate Homeland Security Committee with the opportunity that EDUCAUSE and other higher education groups knew the committee was looking for, but something interesting happened on the way to getting cyber incident reporting legislation attached to the appropriations bill. The reporting legislation had morphed into the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, and the "federal contractor" requirement and definition were nowhere in sight. Instead, the legislation specifically cites the presidential policy directive under which the DHS critical infrastructure sectors were originally established to limit the scope of CIRCIA to entities within those sectors.Footnote4 Thus, as a result of CIRCIA becoming law instead of CIRA, colleges and universities will be interested observers of how the CISA cyber incident reporting regulations and processes come together, rather than being "covered entities" subject to compliance with those regulations and processes.

Of course, this does not mean that higher education institutions will not face comprehensive federal cyber incident reporting requirements in the future. For example, the NDAA amendment mentioned previously also included a proposal to update the Federal Information Security Modernization Act (FISMA) to address, among many other issues, contractor and grantee responsibilities to their respective federal agencies for reporting security incidents involving agency data and/or systems. Unlike CIRCIA, the FISMA revisions did not make it into the appropriations bill, but they could easily emerge in the context of other legislation this year or in subsequent years. However, colleges and universities at least know for now that they are not among the organizations facing CISA cyber incident reporting requirements as those take shape over the next couple of years.

Notes

  1. Jarret Cummings, "Congress and Cyber-Incident Reporting," EDUCAUSE Review, October 28, 2021; "Critical Infrastructure Sectors," Cybersecurity & Infrastructure Security Agency (website), October 21, 2020. Jump back to footnote 1 in the text.
  2. See Senate Amendment 4799 to Senate Amendment 3867, Div. F, Title LXI, S8482; for the full text of CIRA in the proposed amendment, see "Text of Amendments," Congressional Record 167, no. 201 (November 18, 2021), S8482–S8487. Jump back to footnote 2 in the text.
  3. "APLU Analysis of the Fiscal Year 2022 National Defense Authorization Act" [https://www.aplu.org/members/councils/governmental-affairs/CGA-library/aplu-analysis-of-fy2022-ndaa/file], Association of Public and Land-grant Universities, December 16, 2021, 3. Jump back to footnote 3 in the text.
  4. Division Y—Cyber Incident Reporting for Critical Infrastructure Act of 2022, U.S. Congress, House, "Consolidated Appropriations Act, 2022," 991; see pages 990–1011 for the full text of CIRCIA. Jump back to footnote 4 in the text.

Jarret Cummings is Senior Policy Advisor at EDUCAUSE.

© 2022 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.