Cybersecurity: Comparison of Selected Cyber
Incident Reporting Bills—In Brief
Updated October 25, 2021
Congressional Research Service
https://crsreports.congress.gov
R46944
link to page 3 link to page 5 link to page 9
Cybersecurity: Comparison of Selected Cyber Incident Reporting Bills —In Brief
Contents
Introduction ................................................................................................................... 1
Tables
Table 1. Comparison of Select Cyber Incident Reporting Bills ............................................... 3
Contacts
Author Information ......................................................................................................... 7
Congressional Research Service
Cybersecurity: Comparison of Selected Cyber Incident Reporting Bills —In Brief
Introduction
The 117th Congress has debated requirements for nonfederal entities to report to the federal
government incidents of cyberattacks. As part of this debate, Members of Congress have
introduced legislation seeking to address reporting requirements in different ways. This report
compares selected bil s addressing cyber incident reporting from the first session of the 117th
Congress, specifical y:
H.R. 5440, the Cyber Incident Reporting for Critical Infrastructure Act of 2021
(as introduced);1
S. 2407, the Cyber Incident Notification Act of 2021 (as introduced);
S. 2875, the Cyber Incident Reporting Act of 2021 (as introduced); and
S. 2943, the Ransom Disclosure Act (as introduced).
H.R. 5440 was introduced on September 30, 2021, following a House Committee on Homeland
Security (CHS) legislative hearing on a discussion draft of the bil .2 S. 2407 was introduced on
July 21, 2021, and was referred to the Senate Committee on Homeland Security and
Governmental Affairs (HSGAC); it has not been debated.3 S. 2875 was introduced on September
28, 2021, marked up during a HSGAC business meeting, and was ordered to be reported
favorably with an amendment in the nature of a substitute on October 6, 2021.4 Al three bil s
would require the Cybersecurity and Infrastructure Security Agency (CISA) to impose cyber
incident reporting requirements upon nonfederal entities via rulemaking. However, the entities
affected and what the federal government does with the information received differ slightly
among the three bil s.
S. 2943 was introduced on October 6, 2021, and referred to HSGAC. S. 2943 differs more
significantly from the other three bil s in that its rulemaking authority is limited to enforcement
and that it does not apply to cyber incidents broadly—it only addresses the payment of ransoms
from ransomware attacks. The National Institute of Standards and Technology (NIST) describes
ransomware as follows:5
Ransomware is a type of malware that encrypts an organization’s data and demands
payment as a condition of restoring access to that data. In some instances, ransomware may
also steal an organization’s information and demand an additional payment in return for
not disclosing the information to authorities, competitors, or the public. Ransomware
attacks target the organization’s data or critical infrastructure, disrupting or halting
1 T his act was engrossed by the House of Representatives on September 23, 2021 , as part of its inclusion in the House
version of the National Defense Authorization Act for Fiscal Year 2022 ( H.R. 4350, Section 1535).
2 U.S. Congress, House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection,
and Innovation,
Stakeholder Perspectives on the Cyber Incident Reporting for Critical Infrastructure Act of 2021 ,
legislative hearing, 117th Cong., 1st sess., September 1, 2021.
3 As of the publishing of this report.
4 U.S. Congress, Senate Committee on Homeland Security and Governmental Affairs,
Business Meeting, 117th Cong.,
1st sess., October 6, 2021. For analysis, the introduced version of the bill is used in this memorandum as that is the
version publicly available on https://www.congress.gov. T he Amendment in the Nature of the Substitute addressed
definitions of small businesses. T he two versions are substantively similar for the purposes of analysis and comparison
in the table.
5 William C. Barker, Karen Scarfone, William Fisher, et al., “ Cybersecurity Framework Profile for Ransomware Risk
Management,”
Draft NISTIR 8374, September 2021, at https://nvlpubs.nist.gov/nistpubs/ir/2021/NIST .IR.8374-
draft.pdf.
Congressional Research Service
1
link to page 5
Cybersecurity: Comparison of Selected Cyber Incident Reporting Bills —In Brief
operations and posing a dilemma for management: pay the ransom and hope that the
attackers keep their word about restoring access and not disclosing data, or do not pay the
ransom and restore operations themselves. The methods ransomware uses to gain access to
an organization’s information and systems are common to cyberattacks more broadly, but
they are aimed at forcing a ransom to be paid.
Table 1 provides a side-by-side comparison of these bil s, across common traits related to cyber
incident reporting.6
6 For further analysis of cyber incident reporting considerations, see CRS Report R46926,
Federal Cybersecurity:
Background and Issues for Congress, by Chris Jaikaran.
Congressional Research Service
2
Cybersecurity: Comparison of Selected Cyber Incident Reporting Bills —In Brief
Table 1. Comparison of Select Cyber Incident Reporting Bills
Cyber Incident
Reporting for
Cyber Incident
Cyber Incident
Critical
Notification Act of
Reporting Act of
Ransom Disclosure
Bill
Infrastructure Act
2021
2021
Act
Element
of 2021 (H.R. 5440)
(S. 2407)
(S. 2875)
(S. 2943)
Purpose
“To amend the
“To ensure timely
“To amend the
“To require certain
Homeland Security Act Federal Government
Homeland Security Act entities to disclose to
of 2002 to establish
awareness of cyber
of 2002 to establish
the Secretary of
the Cyber Incident
intrusions that pose a
the Cyber Incident
Homeland Security
Review Office in the
threat to national
Review Office in the
ransom payments, and
Cybersecurity and
security, enable the
Cybersecurity and
for other purposes.”
Infrastructure Security
development of a
Infrastructure Security
Agency of the
common operating
Agency of the
Department of
picture of national-
Department of
Homeland Security,
level cyber threats, and Homeland Security,
and for other
to make appropriate,
and for other
purposes.”
actionable cyber threat purposes.”
information available
to the relevant
government and
private sector entities,
as wel as the public,
and for other
purposes.”
Capability
Program to receive,
Program to receive
Program to receive,
System for DHS to
aggregate, analyze and
timely, secure, and
aggregate, analyze and
col ect and report on
report on
confidential
report on
ransomware payments.
cybersecurity
notifications on cyber
cybersecurity
incidents.
incidents.
incidents.
Due Date to
270 days after
240 days after
270 days after
90 days after
Implement
enactment.
enactment.
enactment.
enactment.
the Act
Reporting
Defined by a rule. At a
Defined by a rule. At a
Defined by a rule. Wil
Any entity (public or
Entities
minimum includes
minimum includes
include critical
private) engaged in
cloud service
federal agencies,
infrastructure owners
interstate commerce
providers, managed
federal contractors,
and operators. Other
or that receives federal
service providers, and
critical infrastructure
entities may be
funds. This includes
critical infrastructure
operators, and
included based on the
local governments, but
operators. Other
cybersecurity
consequences of the
excludes individuals for
entities may report
companies.
attack and the entity’s
the purposes of
and receive the same
likelihood of being
mandatory reporting.
liability and disclosure
targeted by malicious
Individuals may
protections described
actors.
voluntarily report.
below.
Receiving
CISA
CISA
CISA
DHS
Entity
Reporting
Defined by a rule.
Defined by a rule.
Defined by a rule.
The payment of a
Threshold
Definition of qualifying
Definition of qualifying
ransom by a covered
incidents shal consider
incidents shal consider
entity who
the sophistication of
the sophistication of
experienced a
the attack, impact to
the attack, the number
ransomware attack.
individuals, impacts to
of individuals affected,
industrial control
and impacts to
systems or systems
industrial control
related to safety and
systems. At a
Congressional Research Service
3
Cybersecurity: Comparison of Selected Cyber Incident Reporting Bills —In Brief
Cyber Incident
Reporting for
Cyber Incident
Cyber Incident
Critical
Notification Act of
Reporting Act of
Ransom Disclosure
Bill
Infrastructure Act
2021
2021
Act
Element
of 2021 (H.R. 5440)
(S. 2407)
(S. 2875)
(S. 2943)
resilience, and
minimum, wil include
operational
unauthorized access to
disruptions.
systems that leads to a
loss of information
security, disruptions,
and compromises to
cloud or managed
service providers. Shal
not include U.S.
government
operations, good-faith
research, vulnerability
disclosure program
activities.
Reporting
Defined by a rule.
Initial report within 24
Covered entities must
No later than 48 hours
Timeliness
Reporting shal not be
hours after the
report cyber incidents
after payment of the
earlier than 72 hours
confirmation of the
within 72 hours of
ransom.
after discovery.
incident. Update within discovery.
72 hours of new
Ransomware payments
information.
must be reported
within 24 hours of
payment.
Report
Defined by a rule. At a
Expanded in the rule.
Defined by a rule. Shal
The date and amount
Content
minimum includes:
At a minimum
include description of
of the ransom
description of the
includes: description of
the incident; systems
demanded. The date
incident; systems
the incident;
affected, vulnerabilities
and amount of the
affected, vulnerabilities
vulnerabilities and
and TTPs observed;
ransom paid. The form
and TTPs observed;
TTPs observed;
identifiers for the
of currency used (e.g.,
point-of-contact
internet traffic
entity attacked (e.g.,
cryptocurrency) to
information from the
information and/or
taxpayer identifier);
make payment.
reporter; mitigating
malware samples;
and point-of-contact
Whether the covered
actions the reporter
point-of-contact
information from the
entity received federal
has taken.
information from the
reporter. For ransom
funds. Any information
reporter; mitigating
payments, include the
on the identity of the
actions the reporter
amount, payment
attacker.
has taken. Additional
instructions, and date
content requirements
of payment.
wil be described in the
rule.
Report
Defined by a rule.
Defined by a rule.
Defined by a rule.
Not defined in the bil .
Format
Reports may be
submitted by a third
party (e.g., an
information sharing
and analysis
organization or
cybersecurity firm) on
behalf of the victim.
Information
Unclassified.
Classified &
Unclassified, but may
Unclassified.
Classification
unclassified
include classified
annexes.
Congressional Research Service
4
Cybersecurity: Comparison of Selected Cyber Incident Reporting Bills —In Brief
Cyber Incident
Reporting for
Cyber Incident
Cyber Incident
Critical
Notification Act of
Reporting Act of
Ransom Disclosure
Bill
Infrastructure Act
2021
2021
Act
Element
of 2021 (H.R. 5440)
(S. 2407)
(S. 2875)
(S. 2943)
Information
Exemption from
Exemption from
Fol ow protections of
DHS shal exclude
Protection
federal, state, local,
federal, state, local,
personal information in information that
tribal, and territorial
tribal, and territorial
the Cybersecurity Act
identifies covered
disclosure laws.
disclosure laws.
of 2015 (6 U.S.C.
entities that report.
Information shal only
Exemption from civil
§1504). Further
be used for: a
or criminal action
defined by CISA
cybersecurity purpose
(except for actions
Director.
(as defined in 6 U.S.C.
brought to enforce the
§1501); identifying a
reporting
threat or vulnerability;
requirement).
responding to or
preventing personal
harm, injury, or death;
investigating threat to
minors; and other
crimes.
Information
Quarterly, CISA shal
Monthly, CISA shal
Quarterly, CISA shal
DHS shal annual y
Use
provide public reports
develop a cyber threat
provide public reports
publish information
providing aggregated
intel igence report
providing aggregated
received from
and anonymized
based on submissions.
and anonymized
disclosures, including
findings and
Annual y, CISA shal
findings and
the total dol ar amount
recommendations
develop a report on
recommendations
of ransoms paid.
from the submitted
the number of incident
from the submitted
incidents.
notifications received
incidents.
and actions taken.
Information
CISA shal develop
CISA shal share with
Agencies that receive
Not defined in the bil .
Sharing
standards to facilitate
Sector Risk
notification of a
the timely sharing of
Management Agencies
cyberattack shal share
information.
the respective critical
that with CISA within
Information to be
infrastructure sector
24 hours. CISA shal
shared with federal
reports.
lead a Cybersecurity
and nonfederal entities.
Incident Reporting
Council with other
agencies to deconflict
and harmonize
reporting
requirements. CISA
shal share data with
Sector Risk
Management Agencies.
CISA shal determine if
further information
sharing is necessary
upon receipt of
reports.
Liability
Protections are
Information reported
Protections are
Not defined in the bil .
Protection
extended from the
shal not be used for
extended from the
Cybersecurity Act of
purposes other than
Cybersecurity Act of
2015 (found in 6
stated in the law.
2015 (found in 6
U.S.C. §1505).
U.S.C. §1505).
Congressional Research Service
5
Cybersecurity: Comparison of Selected Cyber Incident Reporting Bills —In Brief
Cyber Incident
Reporting for
Cyber Incident
Cyber Incident
Critical
Notification Act of
Reporting Act of
Ransom Disclosure
Bill
Infrastructure Act
2021
2021
Act
Element
of 2021 (H.R. 5440)
(S. 2407)
(S. 2875)
(S. 2943)
Rulemaking
DHS shal promulgate
DHS shal promulgate
CISA shal promulgate
DHS shal promulgate
rules to implement this rules to implement this rules to implement this a rule regarding
act. DHS shal engage
act.
act. DHS shal engage
penalties for covered
in outreach to
in outreach to
entities that fail to
stakeholders, in
stakeholders, in
report.
addition to rulemaking
addition to rulemaking
requirements, to
requirements, to
educate potential y
educate potential y
covered entities as
covered entities as
wel as to solicit
wel as to solicit
feedback.
feedback.
Enforcement
CISA may issue
CISA may fine a
CISA may issue
DHS shal define this in
subpoenas to compel
company for
subpoenas to compel
a rule.
disclosure. If an entity
noncompliance up to
disclosure. If an entity
does not comply with
0.5% of the company’s
does not comply with
the subpoena, CISA
gross revenue from
the subpoena, CISA
may bring a civil action
the prior year for each
may bring a civil action
against the entity.
day of noncompliance.
against the entity.
Entities lose liability
Federal contractors
Entities lose liability
and disclosure
may face further fines.
and disclosure
protections in this
protections in this
event.
event. CISA may refer
federal contractors to
GSA for failure to
comply with subpoenas
for penalties,
suspension or
debarment. CISA may
refer reports to DOJ
and regulators for
criminal prosecution
or regulatory actions.
Other
CISA shal work with
Paperwork Reduction
CISA shal develop a
15 months after
other agencies to
Act exemption.
ransomware pilot to
enactment DHS shal
harmonize reporting
identify common
send to Congress
requirements.
vulnerabilities and
findings related to
warn potential victims
commonalities of
if they are exposed to
ransomware attacks,
those vulnerabilities.
the extent to which
DHS shal establish a
cryptocurrencies
Joint Ransomware
facilitated the attacks,
Task Force to disrupt
and recommendations
criminals and improve
to improve
defenses.
cybersecurity.
Source: CRS analysis.
Notes: Cybersecurity and Infrastructure Security Agency (CISA). U.S. Code (U.S.C.). U.S. Department of
Homeland Security (DHS). Techniques, Tactics, and Procedures (TTPs). U.S. General Services Administration
(GSA). U.S. Department of Justice (DOJ).
Congressional Research Service
6
Cybersecurity: Comparison of Selected Cyber Incident Reporting Bills —In Brief
Author Information
Chris Jaikaran
Analyst in Cybersecurity Policy
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan
shared staff to congressional committees and Members of Congress. It operates solely at the behest of and
under the direction of Congress. Information in a CRS Report should n ot be relied upon for purposes other
than public understanding of information that has been provided by CRS to Members of Congress in
connection with CRS’s institutional role. CRS Reports, as a work of the United States Government, are not
subject to copyright protection in the United States. Any CRS Report may be reproduced and distributed in
its entirety without permission from CRS. However, as a CRS Report may include copyrighted images or
material from a third party, you may need to obtain the permission of the copyright holder if you wish to
copy or otherwise use copyrighted material.
Congressional Research Service
R46944
· VERSION 3 · UPDATED
7