Draft Cyber Incident Notification Act of 2021 and Impact on Federal Contractors and Operators of Critical Infrastructure

August 14, 2021

On July 21, 2021, a bipartisan group of Senators introduced the Cyber Incident Notification Act of 2021. This Act would require federal government agencies, federal contractors, and operators of critical infrastructure to notify the federal government in the event of a cybersecurity incident. Covered entities will be required to notify CISA (Cybersecurity and Infrastructure Security Agency) of the DHS (Department of Homeland Security) within 24 hours of a confirmation of a cybersecurity incident. It would also supplement the notification with recently discovered information within 72 hours of discovery. The bill could also include liability protection for attacked organizations, providing immunity against potential lawsuits from disclosing cybersecurity attacks.

Currently, federal law does not require most companies working with or supporting the US government to report cybersecurity attacks to the government. This bill would assist in ensuring government awareness of cybersecurity incidents that may be a potential threat to the nation.

The type of incidents to be reported under this bill includes:

  • Cybersecurity incidents involving or are estimated to involve nation-state actor(s).
  • Incidents with potential to affect the U.S. Cybersecurity and Infrastructure Security Agency (CISA) systems.
  • Cyber incidents that involve ransomware attacks.
  • Cybersecurity events or incidents that involve or are estimated to involve a transnational organized criminal group.
  • Cyber incidents most likely to result in significant national consequences.
  • Incidents that result or are estimated to harm U.S. national security, foreign relationships, or economic efforts.
  • Cybersecurity events or incidents that result or could result in potential harm to the public health and safety of American lives and properties.

It is important to note that notification laws are nothing new but they are getting a lot more attention with the increase in cyber-attacks gaining national attention.  Notification laws are actually in place for all 50 states, the District of Columbia, and US territories requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information (PII).

Some government agencies also have reporting requirements in place that are similar to the aforementioned bill.  Specifically, the Department of Defense (DOD) has reporting requirements in DFARS 252.204-7012 that are required for all contractors handling and processing controlled unclassified information (CUI).

However, the Cyber Incident Notification act is broader than the current requirements for DOD.  The Notification Act also includes three tiers of penalties for entities that fail to report a cybersecurity incident to CISA:

  • Federal agency: shall be referred to the Inspector General for the agency and shall be treated as a matter of urgent concern.
  • Government contractors: penalties determined by the Administrator of the General Service Administration, which may include removal from the Federal Contracting Schedules.
  • Organizations without government contracts: financial penalties maxing out at 0.5% of the organization’s gross revenue from the prior year for each day the violation continued or continues.

How Can Aronson Help?

Aronson LLC is a Registered Provider Organization (RPO) with the CMMC-AB, the accreditation body responsible for managing the CMMC program. We partner with government contractors (and their IT/cybersecurity vendors) to enable you to achieve the maturity required to successfully demonstrate CMMC compliance and obtain desired certification.

Our team of CMMC-AB Registered Practitioners (RP) can assist your organization with developing an incident response plan.

Contact our CMMC advisory team to learn more.