FY23 NDAA Omits Incident Reporting Amendment

min read

The final version of the National Defense Authorization Act for Fiscal Year 2023 excludes a proposed Senate amendment that would have required federal contractors and grant recipients to report cyber incidents involving their contracting/granting agency's data or systems to the agency.

Following the midterm elections in November, Congress had an array of traditional legislative business to finish during its year-ending "lame duck" session. The National Defense Authorization Act for Fiscal Year 2023 (FY23 NDAA) was one of those pieces of business. The NDAA sets the annual budget levels for the U.S. Department of Defense, which makes it a "must-pass" bill each year.

On December 8, the House passed a compromise version of the FY23 NDAA. Because the Senate had already agreed to the compromise version, there was no need for a House-Senate conference committee to resolve differences between each chamber's prior versions of the bill. The Senate passed the legislation on December 15, and President Biden signed the FY23 NDAA into law on December 23.

A key amendment proposed by the Senate Homeland Security and Governmental Affairs Committee (HSGAC) did not make it into the final bill. EDUCAUSE has been tracking that amendment, the Federal Information Security Modernization Act of 2022 (FISMA 2022) since it includes a provision that would lead to new cyber incident reporting requirements for colleges and universities.

Section 3595 of the act would establish cyber incident reporting responsibilities for federal contractors and awardees to the federal agencies or entities with which they have a contract or agreement. (Note that the legislation defines "contractor" in such a way that would encompass almost any organization that has an agreement of some kind with a federal agency.) Fortunately, unlike some previous cyber incident reporting proposals, FISMA 2022 would keep incident reporting scoped to the relevant contract or agreement. The legislation would require contractors/awardees to report cyber incidents to the contracting/granting agency only if those incidents involve federal data or information systems related to the contract/agreement or if the agency has shared information with the contractor/awardee that falls outside their agreement.

While the provision itself is relatively noncontroversial—a college or university would expect one of its contractors to notify it if the contractor had an incident involving the institution's data or systems—the bill would leave the details of the reporting process to the individual federal agencies. They would have one year from the date the bill is passed to establish "regulations, policies, and procedures" defining what their contractors/awardees would have to report and how. Additionally, the bill would direct the Cybersecurity and Infrastructure Security Agency (CISA) to set the timeframe in which an agency must subsequently share received reports of cyber incidents with CISA itself. Agencies would then have to give their contractors/awardees the same amount of time to fulfill their reporting responsibilities to the agencies.

As the bill refers to agencies implementing "regulations, policies, and procedures, as appropriate," it is possible that an agency could choose to implement required reporting via policy or procedure alone. Those "subregulatory actions" do not require the public comment process that accompanies traditional notice-and-comment rulemaking. This possibility could be particularly concerning for higher education institutions since the negotiated rulemaking process that the U.S. Department of Education must generally follow ensures an even higher degree of stakeholder input than traditional public comment processes. While the FISMA 2022 reporting requirement is limited in scope, colleges and universities would want to see as much engagement and transparency between the U.S. Department of Education and higher education institutions as possible given the depth and breadth of the federal student financial aid relationship across the higher education community.

This is the second consecutive NDAA cycle in which the HSGAC leadership has unsuccessfully attempted to attach its FISMA reform bill to the NDAA. The HSGAC is not likely to stop trying to get the legislation passed, however, since a committee source has indicated that HSGAC considers FISMA 2022 to be a key priority.Footnote1 Thus, the committee is expected to continue trying to incorporate the legislation into other must-pass bills if it cannot get a vote on a stand-alone basis. EDUCAUSE will keep an eye open for those efforts in the new Congress. If HSGAC's FISMA reform measure passes, federal agencies will have a relatively brief time to outline the reporting requirements that colleges and universities would ultimately face. That means that the EDUCAUSE community would have a relatively brief time to identify and respond to potential problems with agencies' proposed implementing regulations.

Note

  1. Tim Starks, "What's in Store for Cybersecurity in Congress's Stretch Run," The Washington Post, November 29, 2022. Jump back to footnote 1 in the text.

Jarret Cummings is Senior Policy Advisor at EDUCAUSE.

© 2023 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.