(a) In general(1) Covered cyber incident reports(A) In generalA covered entity that experiences a covered cyber incident shall report the covered cyber incident to the Agency not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.
(B) LimitationThe Director may not require reporting under subparagraph (A) any earlier than 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred.
(2) Ransom payment reports(A) In generalA covered entity that makes a ransom payment as the result of a ransomware attack against the covered entity shall report the payment to the Agency not later than 24 hours after the ransom payment has been made.
(B) ApplicationThe requirements under subparagraph (A) shall apply even if the ransomware attack is not a covered cyber incident subject to the reporting requirements under paragraph (1).
(3) Supplemental reportsA covered entity shall promptly submit to the Agency an update or supplement to a previously submitted covered cyber incident report if substantial new or different information becomes available or if the covered entity makes a ransom payment after submitting a covered cyber incident report required under paragraph (1), until such date that such covered entity notifies the Agency that the covered cyber incident at issue has concluded and has been fully mitigated and resolved.
(4) Preservation of informationAny covered entity subject to requirements of paragraph (1), (2), or (3) shall preserve data relevant to the covered cyber incident or ransom payment in accordance with procedures established in the final rule issued pursuant to subsection (b).
(5) Exceptions(A) Reporting of covered cyber incident with ransom paymentIf a covered entity is the victim of a covered cyber incident and makes a ransom payment prior to the 72 hour requirement under paragraph (1), such that the reporting requirements under paragraphs (1) and (2) both apply, the covered entity may submit a single report to satisfy the requirements of both paragraphs in accordance with procedures established in the final rule issued pursuant to subsection (b).
(B) Substantially similar reported information(i) In generalSubject to the limitation described in clause (ii), where the Agency has an agreement in place that satisfies the requirements of section 681g(a) of this title, the requirements under paragraphs (1), (2), and (3) shall not apply to a covered entity required by law, regulation, or contract to report substantially similar information to another Federal agency within a substantially similar timeframe.
(ii) LimitationThe exemption in clause (i) shall take effect with respect to a covered entity once an agency agreement and sharing mechanism is in place between the Agency and the respective Federal agency, pursuant to section 681g(a) of this title.
(iii) Rules of constructionNothing in this paragraph shall be construed to—(I) exempt a covered entity from the reporting requirements under paragraph (3) unless the supplemental report also meets the requirements of clauses (i) and (ii) of this paragraph; 11 So in original. Probably should be “subparagraph”.
(II) prevent the Agency from contacting an entity submitting information to another Federal agency that is provided to the Agency pursuant to section 681g of this title; or
(III) prevent an entity from communicating with the Agency.
(C) Domain name systemThe requirements under paragraphs (1), (2) and (3) shall not apply to a covered entity or the functions of a covered entity that the Director determines constitute critical infrastructure owned, operated, or governed by multi-stakeholder organizations that develop, implement, and enforce policies concerning the Domain Name System, such as the Internet Corporation for Assigned Names and Numbers or the Internet Assigned Numbers Authority.
(6) Manner, timing, and form of reportsReports made under paragraphs (1), (2), and (3) shall be made in the manner and form, and within the time period in the case of reports made under paragraph (3), prescribed in the final rule issued pursuant to subsection (b).
(7) Effective dateParagraphs (1) through (4) shall take effect on the dates prescribed in the final rule issued pursuant to subsection (b).
(b) Rulemaking(1) Notice of proposed rulemakingNot later than 24 months after March 15, 2022, the Director, in consultation with Sector Risk Management Agencies, the Department of Justice, and other Federal agencies, shall publish in the Federal Register a notice of proposed rulemaking to implement subsection (a).
(2) Final ruleNot later than 18 months after publication of the notice of proposed rulemaking under paragraph (1), the Director shall issue a final rule to implement subsection (a).
(3) Subsequent rulemakings(A) In generalThe Director is authorized to issue regulations to amend or revise the final rule issued pursuant to paragraph (2).
(B) ProceduresAny subsequent rules issued under subparagraph (A) shall comply with the requirements under chapter 5 of title 5, including the issuance of a notice of proposed rulemaking under section 553 of such title.
(c) ElementsThe final rule issued pursuant to subsection (b) shall be composed of the following elements:(1) A clear description of the types of entities that constitute covered entities, based on—(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
(B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
(C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
(2) A clear description of the types of substantial cyber incidents that constitute covered cyber incidents, which shall—(A) at a minimum, require the occurrence of—(i) a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
(ii) a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against 22 So in original. Probably should be followed by a dash.(I) an information system or network; or
(II) an operational technology system or process; or
(iii) unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise;
(B) consider—(i) the sophistication or novelty of the tactics used to perpetrate such a cyber incident, as well as the type, volume, and sensitivity of the data at issue;
(ii) the number of individuals directly or indirectly affected or potentially affected by such a cyber incident; and
(iii) potential impacts on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers; and
(C) exclude—(i) any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system; and
(ii) the threat of disruption as extortion, as described in section 681(14)(A) 33 See References in Text note below. of this title.
(3) A requirement that, if a covered cyber incident or a ransom payment occurs following an exempted threat described in paragraph (2)(C)(ii), the covered entity shall comply with the requirements in this part in reporting the covered cyber incident or ransom payment.
(4) A clear description of the specific required contents of a report pursuant to subsection (a)(1), which shall include the following information, to the extent applicable and available, with respect to a covered cyber incident:(A) A description of the covered cyber incident, including—(i) identification and a description of the function of the affected information systems, networks, or devices that were, or are reasonably believed to have been, affected by such cyber incident;
(ii) a description of the unauthorized access with substantial loss of confidentiality, integrity, or availability of the affected information system or network or disruption of business or industrial operations;
(iii) the estimated date range of such incident; and
(iv) the impact to the operations of the covered entity.
(B) Where applicable, a description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber incident.
(C) Where applicable, any identifying or contact information related to each actor reasonably believed to be responsible for such cyber incident.
(D) Where applicable, identification of the category or categories of information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person.
(E) The name and other information that clearly identifies the covered entity impacted by the covered cyber incident, including, as applicable, the State of incorporation or formation of the covered entity, trade names, legal names, or other identifiers.
(F) Contact information, such as telephone number or electronic mail address, that the Agency may use to contact the covered entity or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission of, and at the direction of, the covered entity to assist with compliance with the requirements of this part.
(5) A clear description of the specific required contents of a report pursuant to subsection (a)(2), which shall be the following information, to the extent applicable and available, with respect to a ransom payment:(A) A description of the ransomware attack, including the estimated date range of the attack.
(B) Where applicable, a description of the vulnerabilities, tactics, techniques, and procedures used to perpetrate the ransomware attack.
(C) Where applicable, any identifying or contact information related to the actor or actors reasonably believed to be responsible for the ransomware attack.
(D) The name and other information that clearly identifies the covered entity that made the ransom payment or on whose behalf the payment was made.
(E) Contact information, such as telephone number or electronic mail address, that the Agency may use to contact the covered entity that made the ransom payment or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission of, and at the direction of, that covered entity to assist with compliance with the requirements of this part.
(F) The date of the ransom payment.
(G) The ransom payment demand, including the type of virtual currency or other commodity requested, if applicable.
(H) The ransom payment instructions, including information regarding where to send the payment, such as the virtual currency address or physical address the funds were requested to be sent to, if applicable.
(I) The amount of the ransom payment.
(6) A clear description of the types of data required to be preserved pursuant to subsection (a)(4), the period of time for which the data is required to be preserved, and allowable uses, processes, and procedures.
(7) Deadlines and criteria for submitting supplemental reports to the Agency required under subsection (a)(3), which shall—(A) be established by the Director in consultation with the Council;
(B) consider any existing regulatory reporting requirements similar in scope, purpose, and timing to the reporting requirements to which such a covered entity may also be subject, and make efforts to harmonize the timing and contents of any such reports to the maximum extent practicable;
(C) balance the need for situational awareness with the ability of the covered entity to conduct cyber incident response and investigations; and
(D) provide a clear description of what constitutes substantial new or different information.
(8) Procedures for—(A) entities, including third parties pursuant to subsection (d)(1), to submit reports required by paragraphs (1), (2), and (3) of subsection (a), including the manner and form thereof, which shall include, at a minimum, a concise, user-friendly web-based form;
(B) the Agency to carry out—(i) the enforcement provisions of section 681d of this title, including with respect to the issuance, service, withdrawal, referral process, and enforcement of subpoenas, appeals and due process procedures;
(ii) other available enforcement mechanisms including acquisition, suspension and debarment procedures; and
(iii) other aspects of noncompliance;
(C) implementing the exceptions provided in subsection (a)(5); and
(D) protecting privacy and civil liberties consistent with processes adopted pursuant to section 1504(b) of this title and anonymizing and safeguarding, or no longer retaining, information received and disclosed through covered cyber incident reports and ransom payment reports that is known to be personal information of a specific individual or information that identifies a specific individual that is not directly related to a cybersecurity threat.
(9) Other procedural measures directly necessary to implement subsection (a).
(d) Third party report submission and ransom payment(1) Report submissionA covered entity that is required to submit a covered cyber incident report or a ransom payment report may use a third party, such as an incident response company, insurance provider, service provider, Information Sharing and Analysis Organization, or law firm, to submit the required report under subsection (a).
(2) Ransom paymentIf a covered entity impacted by a ransomware attack uses a third party to make a ransom payment, the third party shall not be required to submit a ransom payment report for itself under subsection (a)(2).
(3) Duty to reportThird-party reporting under this subparagraph 44 So in original. Probably should be “subsection”. does not relieve a covered entity from the duty to comply with the requirements for covered cyber incident report or ransom payment report submission.
(4) Responsibility to adviseAny third party used by a covered entity that knowingly makes a ransom payment on behalf of a covered entity impacted by a ransomware attack shall advise the impacted covered entity of the responsibilities of the impacted covered entity regarding reporting ransom payments under this section.
(e) Outreach to covered entities(1) In generalThe Agency shall conduct an outreach and education campaign to inform likely covered entities, entities that offer or advertise as a service to customers to make or facilitate ransom payments on behalf of covered entities impacted by ransomware attacks and other appropriate entities of the requirements of paragraphs (1), (2), and (3) of subsection (a).
(2) ElementsThe outreach and education campaign under paragraph (1) shall include the following:(A) An overview of the final rule issued pursuant to subsection (b).
(B) An overview of mechanisms to submit to the Agency covered cyber incident reports, ransom payment reports, and information relating to the disclosure, retention, and use of covered cyber incident reports and ransom payment reports under this section.
(C) An overview of the protections afforded to covered entities for complying with the requirements under paragraphs (1), (2), and (3) of subsection (a).
(D) An overview of the steps taken under section 681d of this title when a covered entity is not in compliance with the reporting requirements under subsection (a).
(E) Specific outreach to cybersecurity vendors, cyber incident response providers, cybersecurity insurance entities, and other entities that may support covered entities.
(F) An overview of the privacy and civil liberties requirements in this part.
(3) CoordinationIn conducting the outreach and education campaign required under paragraph (1), the Agency may coordinate with—(A) the Critical Infrastructure Partnership Advisory Council established under section 451 of this title;
(B) Information Sharing and Analysis Organizations;
(C) trade associations;
(D) information sharing and analysis centers;
(E) sector coordinating councils; and
(F) any other entity as determined appropriate by the Director.
(f) ExemptionSections 3506(c), 3507, 3508, and 3509 of title 44 shall not apply to any action to carry out this section.
(g) Rule of constructionNothing in this section shall affect the authorities of the Federal Government to implement the requirements of Executive Order 14028 (86 Fed. Reg. 26633; relating to improving the nation’s cybersecurity), including changes to the Federal Acquisition Regulations and remedies to include suspension and debarment.
(h) Savings provisionNothing in this section shall be construed to supersede or to abrogate, modify, or otherwise limit the authority that is vested in any officer or any agency of the United States Government to regulate or take action with respect to the cybersecurity of an entity.
Structure US Code
CHAPTER 1— HOMELAND SECURITY ORGANIZATION
SUBCHAPTER XVIII— CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY
Part D— Cyber Incident Reporting
§ 681b. Required reporting of certain cyber incidents
§ 681c. Voluntary reporting of other cyber incidents
§ 681d. Noncompliance with required reporting
§ 681e. Information shared with or provided to the Federal Government