What is the Cyber Incident Notification Act of 2021?
The Cyber Incident Notification Act (CINA) (read full text here) began circulating in draft format on June 16th. Led by Mark Warner, Senate Intelligence Chair, Marco Rubio, and Susan Collins, its emergence comes just one week after Colonial Pipelines’ CEO Tim Felt testified before both the House and Senate about the ransomware attack that saw gas prices and gas station lines surge through parts of the country. The bill is meant to speed up the reporting of cybersecurity incidents in an age where nation state linked treat actors are frequently attacking supply chains and infrastructure with increasingly catastrophic consequences.
UPDATE: The Cyber Incident Notification Act was introduced to the Senate on July 22nd, 2021 with bipartisan support from an additional 12 senators putting their names on the bill.
Who is Affected?
Much like the president’s recent executive order on cybersecurity, the Cyber Incident Notification Act of 2021 places its primary focus on the federal supply chain. However, the CINA expands this coverage to “covered entities” that includes owners and operators of critical infrastructure.
The full definition of covered entities has not been drafted yet, and the bill tasks the Cybersecurity & Infrastructure Security Agency (CISA) with drafting a definition that will include “at a minimum, Federal contractors, owners or operators of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services.”
Meanwhile in the federal supply chain, it will include “any contractor or subcontractor of the United States Government; except those that only hold service contracts to provide housekeeping or custodial services; or contracts to provide products or services unrelated to information technology below the micro-purchase threshold.”
Additionally, the act opens up CISA reporting to non-covered entities who may not be required to report. This openness has many benefits. It will increase the ability for the CISA to gather information on private sector attacks, as well as deepen the benefits of the public private partnerships that are already recognized as being critical factors in strengthening our countries cyber defenses.
What Incidents Must be Reported?
The CINA requires that any covered entity report ANY incident that falls into the following categories.
- involves or is assessed to involve a nation-state
- involves or is assessed to involve an advanced persistent threat cyber actor
- involves or is assessed to involve a transnational organized crime group
- results, or has the potential to result, in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of people in the United States
- is or is likely to be of significant national consequence
- is identified by covered entities but affects, or has the potential to affect, agency systems
- involves ransomware
The demonstrable harm and ransomware bullets are probably going to be the most concerning when considering the enforcement actions that will be enacted for violations. With fines of 0.5% of annual gross revenue, it will be best to err on the side of caution and report everything.
What Must Be Reported?
While we are still waiting on the NIST standards on incident reporting, the CINA lays out minimum reporting requirements. We can expect this standard to be amended to include NIST guidance on mandatory incident information sharing once those guideline are published later this year.
At a minimum, reports should include:
- A description of the intrusion, including
- Identification of affected systems and networks that were or are believed to have been breached
- Estimated dates of when such an intrusion is believed to have occurred;
- a description of treat actor activities including:
- Vulnerabilities leveraged
- Tactics used
- Techniques used
- Procedures used
- Any information that could reasonably help identify the cyber actor, such as
- Internet protocol addresses
- Domain name service information
- Samples of malicious software
- Contact information, such as a telephone number or electronic mail address, that a Federal agency may use to contact the reporting entity, either directly or through an authorized agent of the covered entity.
- Actions taken to mitigate the intrusion
Timeline for Reporting
After confirmation of an intrusion or potential intrusion, organizations have 24 hours to submit a notification with the above information to CIRT’s Cyber Intrusion Reporting Capabilities. The only exception is if the organization is required by another federal organization or requirement to report in a SHORTER time frame. As new information is discovered, updates must be submitted within 72 hours of discovery. These updates are mandated until the event is mitigated or any follow-up investigations are completed.
New Standards for Information Preservation
The draft bill calls for CISA to create rules for data preservation standards. This could be problematic for cloud service providers and SaaS companies, as there is a more than slight chance that CISA will adopt the existing rules in DFARS 7012, which requires that victims of cyberattacks preserve and protect images of all known affected information systems identified in paragraph and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest. Upon request by CISA, the Contractor could be required to provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
This is problematic on many fronts, as the distributed architecture of many cloud platforms and software are such that a service may not reside on a single server, and may span hundreds or thousands of servers for a single customer, making adherence difficult for SaaS providers.
Penalties for Violating the Cyber Incident Notification Act
There are three tiers of penalties for organizations that fail to report under these proposed rules.
- Government contractors “shall be subject to penalties determined by the Administrator of the General Services Administration, which may include removal from the Federal Contracting Schedules.”
- Organizations without government contracts “shall be subject to financial penalties equal to 0.5 percent per day of the entity’s gross revenue from the prior year.”
- Federal agency violations “shall be referred to the Inspector General for the agency, and shall be treated as a matter of urgent concern.”
Protections from Liability
One point of grace within the Cyber Incident Notification Act is an indemnification from liability for reporting breaches. “No cause of action shall lie or be maintained in any court by any person or entity, other than the Federal Government pursuant to subsection (g) or any applicable law, against any covered entity due to the submission of a cybersecurity notification to the Agency through the Cyber Intrusion Reporting System, in conformance with this subtitle and the rules promulgated under subsection (d), and any such action shall be promptly dismissed.”
As we learned from Schoolhouse Rock’s “I’m Just a Bill“, “It’s a long-long wait while waiting in committee.” and it may be months before we see the final version of the legislation. However, with the recent executive orders, increased adoption of stronger cybersecurity standards across all industries, it is wise to make sure your organization is prepared for new requirements. Even more important is making sure that you don’t wind up sitting in front of a select committee explaining why you didn’t take basic precautions to protect and monitor your environment.
Agile IT has experience implementing Enhanced Detection and Response (XDR), Zero Trust Architecture, NIST, ITAR and CMMC compliant environments for Defense, Federal, State and Local Governments, regulated industries and critical infrastructure. If you want to learn more about how we leverage Microsoft security tools to reduce complexity and costs while hardening environments, schedule a free consultation.