Close this search box.

Cyber Incident Reporting for Critical Infrastructure Act of 2021 introduced by U.S. House of Representatives

Courtesy: Brett Sayles
Courtesy: Brett Sayles

The U.S. House Homeland Security Committee introduced the Cyber Incident Reporting for Critical Infrastructure Act of 2021. The bill seeks to amend the Homeland Security Act of 2002 to establish a Cyber Incident Review Office in the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and would require critical infrastructure firms to disclose cybersecurity incidents to this office within 72 hours of discovery. Proponents of the bill claim this timeframe will help ensure CISA receives actionable information on significant incidents, while also giving incident responders enough time to do forensic analysis on the intrusion and determine its impact.

This bill is part of a flurry of legislative efforts to combat cybersecurity threats to critical infrastructure in the wake of major cyberattacks such as the SolarWinds hack and the Colonial Pipeline incident. The full Cyber Incident Reporting for Critical Infrastructure Act of 2021 is available online to read and download here.

As specified in this bill, CISA will manage the following six aspects related to the information it receives:

  1. Receive and analyze reports to assess the effectiveness of security controls and identify tactics, techniques and procedures adversaries use to overcome such controls.
  2. Facilitate the timely sharing between relevant critical infrastructure owners and operators, and the intelligence community of information relating to covered cybersecurity incidents.
  3. Conduct a review of the details surrounding a significant cybersecurity incident and identify ways to prevent or mitigate similar incidents in the future.
  4. Review reports for cyber threat indicators that can be anonymized and disseminated, with defensive measures, to appropriate stake holders.
  5. Publish quarterly unclassified, public reports that describe aggregated, anonymized observations, findings and recommendations based on covered cybersecurity incident reports.
  6. Proactively identify opportunities to leverage and utilize data on cybersecurity incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations.

While this bill is encouraging, since the Federal government is taking notice of the cybersecurity challenges facing critical infrastructure, it has also faced criticism over the 72-hour timeline, with critics questioning whether that’s enough time for an organization to identify and gather relevant, helpful information on a potential security breach. The bill also provides a relatively vague definition for who is compelled to report an incident and what is considered a reportable incident, which could lead to confusion during implementation.

The bill also doesn’t address or incentivize the implementation of foundational security controls, such as the U.S. government’s NIST Cybersecurity Framework, across critical infrastructure sectors to protect them from cyberthreats and maintain the availability and safety of OT systems. Focusing too narrowly on information sharing or threat modeling won’t do much to stop the impacts of a cyberattack. You don’t invest in expensive surveillance cameras without installing locks on your doors and windows first, and the same holds true for cybersecurity. Perhaps, as the bill progresses through Congress some of these shortcomings will be addressed.

Original content can be found at




Keep your finger on the pulse of top industry news