Washington, D.C. – House Committee on Homeland Security Chairman Mark E. Green, MD (R-TN) delivered the following opening statements in a hearing to examine the Cybersecurity and Infrastructure Security Agency’s (CISA) recent proposed rule for the implementation of the bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
As prepared for delivery:
When we passed [CIRCIA], our goal was to ensure shared visibility of substantial cyber incidents impacting our homeland’s critical infrastructure.
With nation-state actors such as China and Russia continuing to target us, we knew that we needed to better understand and defend against increasingly fraught cyber threats.
However, we knew we needed to do this without imposing undue regulatory burden on our companies that are already stretched very thin.
Duplicative efforts tend to wind up costing businesses money that they could actually use on real cybersecurity, and so getting to the bottom of those is one of our priorities.
It is imperative that we strike this balance and ensure the rule is harmonized with regulations.
I look forward to hearing from our witnesses.
H.R.5440 – Cyber Incident Reporting for Critical Infrastructure Act of 2021
117th Congress (2021-2022)
Summary: H.R.5440 — 117th Congress (2021-2022) All Information (Except Text)
There is one summary for H.R.5440. Bill summaries are authored by CRS.
Shown Here: Introduced in House (09/30/2021)
Cyber Incident Reporting for Critical Infrastructure Act of 2021
This bill requires reporting and other actions to address cybersecurity incidents, including ransomware attacks.
Entities that own or operate critical infrastructure must report cybersecurity incidents (e.g., ransomware attacks) within specified time frames while other entities may voluntarily report incidents. The Cybersecurity and Infrastructure Security Agency (CISA) must (1) carry out rulemaking to implement the reporting requirements, and (2) establish an office to receive and analyze such reports. To the extent practicable, CISA must align its rules with existing requirements related to the reporting of cybersecurity incidents.
The bill limits the use and disclosure of reported information. The information may be shared (subject to protections and restrictions) with federal agencies or to address cybersecurity threats. However, shared information may not be used as a basis for certain regulatory enforcement. Additionally, an entity may not be liable for submitting required reports. Further, reports are not subject to laws governing release of federal or other governmental records.
The bill authorizes CISA to take specified action (e.g., issuing subpoenas) if an entity fails to submit a required report. CISA may share subpoenaed information with a regulator or the Department of Justice for regulatory enforcement or criminal prosecution.
