[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 2407 Introduced in Senate (IS)]
<DOC>
117th CONGRESS
1st Session
S. 2407
To ensure timely Federal Government awareness of cyber intrusions that
pose a threat to national security, enable the development of a common
operating picture of national-level cyber threats, and to make
appropriate, actionable cyber threat information available to the
relevant government and private sector entities, as well as the public,
and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
July 21, 2021
Mr. Warner (for himself, Mr. Rubio, Ms. Collins, Mr. Heinrich, Mr.
Tester, Mr. King, Mr. Burr, Mr. Blunt, Mr. Bennet, Mr. Casey, Mr.
Sasse, Mrs. Gillibrand, Mrs. Feinstein, Mr. Risch, and Mr. Manchin)
introduced the following bill; which was read twice and referred to the
Committee on Homeland Security and Governmental Affairs
_______________________________________________________________________
A BILL
To ensure timely Federal Government awareness of cyber intrusions that
pose a threat to national security, enable the development of a common
operating picture of national-level cyber threats, and to make
appropriate, actionable cyber threat information available to the
relevant government and private sector entities, as well as the public,
and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Cyber Incident Notification Act of
2021''.
SEC. 2. CYBERSECURITY INTRUSION REPORTING CAPABILITIES.
(a) In General.--Title XXII of the Homeland Security Act of 2002 (6
U.S.C. 651 et seq.) is amended by adding at the end the following:
``Subtitle C--Cybersecurity Intrusion Reporting Capabilities
``SEC. 2231. DEFINITIONS.
``In this subtitle:
``(1) Definitions from section 2201.--The definitions in
section 2201 shall apply to this subtitle, except as otherwise
provided.
``(2) Agency.--The term `Agency' means the Cybersecurity
and Infrastructure Security Agency.
``(3) Appropriate congressional committees.--In this
section, the term `appropriate congressional committees'
means--
``(A) the Committee on Homeland Security and
Governmental Affairs of the Senate;
``(B) the Select Committee on Intelligence of the
Senate;
``(C) the Committee on the Judiciary of the Senate;
``(D) the Committee on Armed Services of the
Senate;
``(E) the Committee on Homeland Security of the
House of Representatives;
``(F) the Permanent Select Committee on
Intelligence of the House of Representatives;
``(G) the Committee on the Judiciary of the House
of Representatives; and
``(H) the Committee on Armed Services of the House
of Representatives.
``(4) Covered entity.--The term `covered entity' has the
meaning given the term under the rules required to be
promulgated under section 2233(d).
``(5) Critical infrastructure.--The term `critical
infrastructure' has the meaning given the term in section
1016(e) of the Critical Infrastructure Protection Act of 2001
(42 U.S.C. 5195c(e)).
``(6) Cyber intrusion reporting capabilities.--The term
`Cyber Intrusion Reporting Capabilities' means the
cybersecurity intrusion reporting capabilities established
under section 2232.
``(7) Cybersecurity notification.--The term `cybersecurity
notification' means a notification of a cybersecurity
intrusion, as defined in accordance with section 2233.
``(8) Director.--The term `Director' means the Director of
the Cybersecurity and Infrastructure Security Agency.
``(9) Federal agency.--The term `Federal agency' has the
meaning given the term `agency' in section 3502 of title 44,
United States Code.
``(10) Federal contractor.--The term `Federal contractor'--
``(A) means a contractor or subcontractor (at any
tier) of the United States Government; and
``(B) does not include a contractor or
subcontractor that holds only--
``(i) service contracts to provide
housekeeping or custodial services; or
``(ii) contracts to provide products or
services unrelated to information technology
below the micro-purchase threshold (as defined
in section 2.101 of title 48, Code of Federal
Regulations, or any successor thereto).
``(11) Information technology.--The term `information
technology' has the meaning given the term in section 11101 of
title 40, United States Code.
``(12) Ransomware.--The term `ransomware' means any type of
malicious software that prevents the legitimate owner or
operator of an information system or network from accessing
computer files, systems, or networks and demands the payment of
a ransom for the return of such access.
``SEC. 2232. ESTABLISHMENT OF CYBERSECURITY INTRUSION REPORTING
CAPABILITIES.
``(a) Designation.--The Agency shall be the designated agency
within the Federal Government to receive cybersecurity notifications
from other Federal agencies and covered entities in accordance with
this subtitle.
``(b) Establishment.--Not later than 240 days after the date of
enactment of this subtitle, the Director shall establish Cyber
Intrusion Reporting Capabilities to facilitate the submission of
timely, secure, and confidential cybersecurity notifications from
Federal agencies and covered entities to the Agency.
``(c) Re-Evaluation of Security.--The Director shall re-evaluate
the security of the Cyber Intrusion Reporting Capabilities not less
frequently than once every 2 years.
``(d) Requirements.--The Cyber Intrusion Reporting Capabilities
shall allow the Agency--
``(1) to accept classified submissions and notifications;
and
``(2) to accept a cybersecurity notification from any
entity, regardless of whether the entity is a covered entity.
``(e) Limitations on Use of Information.--Any cybersecurity
notification submitted to the Agency through the Cyber Intrusion
Reporting Capabilities established under this section--
``(1) shall be exempt from disclosure under section 552 of
title 5, United States Code (commonly referred to as the
``Freedom of Information Act''), in accordance with subsection
(b)(3)(B) of such section 552, and any State, Tribal, or local
provision of law requiring disclosure of information or
records; and
``(2) may not be--
``(A) admitted as evidence in any civil or criminal
action brought against the victim of the cybersecurity
incident, except for actions brought by the Federal
Government under section 2233(h); or
``(B) subject to a subpoena, unless the subpoena is
issued by Congress and necessary for congressional
oversight purposes.
``(f) Privacy.--The Agency shall adopt privacy and data protection
procedures, based on the comparable privacy and data protection
procedures developed for information received and shared pursuant to
the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501 et
seq.), for information submitted to the Agency through the Cyber
Intrusion Reporting Capabilities established under subsection (b) that
is known at the time of sharing to contain personal information of a
specific individual or information that identifies a specific
individual that is not directly related to a cybersecurity threat.
``(g) Annual Reports.--
``(1) Director reporting requirement.--Not later than 1
year after the date on which the Cyber Intrusion Reporting
Capabilities are established and once each year thereafter, the
Director shall submit to the appropriate congressional
committees a report, in classified form if necessary, on the
number of notifications received through the Cyber Intrusion
Reporting Capabilities, and a description of the associated
mitigations taken, during the 1-year period preceding the
report.
``(2) Secretary reporting requirement.--Not later than 1
year after the date on which the Cyber Intrusion Reporting
Capabilities are established, and once each year thereafter,
the Secretary shall submit to the appropriate congressional
committees a report on--
``(A) the categories of covered entities, noting
additions or removals of categories, that are required
to submit cybersecurity notifications; and
``(B) the types of cybersecurity intrusions and
other information required to be submitted as a
cybersecurity notification, noting any changes from the
previous submission.
``(3) Form.--The annual reports required under this
subsection may be submitted as a single report for each year,
at the discretion of the Secretary.
``SEC. 2233. REQUIRED NOTIFICATIONS.
``(a) Notifications.--
``(1) In general.--Except as provided in paragraph (2), not
later than 24 hours after the confirmation of a cybersecurity
intrusion or potential cybersecurity intrusion, the Federal
agency or covered entity that discovered the cybersecurity
intrusion or potential cybersecurity intrusion shall submit a
cybersecurity notification to the Agency through the Cyber
Intrusion Reporting Capabilities.
``(2) Exception.--If a Federal agency or covered entity
required to submit a cybersecurity notification under paragraph
(1) is subject to another Federal law, regulation, policy, or
government contract requiring notification of a cybersecurity
intrusion or potential cybersecurity intrusion to a Federal
agency within less than 24 hours, the notification deadline
required in the applicable law, regulation, or policy shall
also apply to the notification required under this section.
``(b) Required Updates.--A Federal agency or covered entity that
submits a cybersecurity notification under subsection (a) shall, until
the date on which the cybersecurity incident is mitigated or any
follow-up investigation is completed, submit updated cybersecurity
threat information to the Agency through the Cyber Intrusion Reporting
Capabilities not later than 72 hours after the discovery of new
information.
``(c) Required Contents.--The notification and required updates
submitted under subsections (a) and (b) shall include, at minimum, any
information required to be included pursuant to the rules promulgated
under subsection (d).
``(d) Required Rulemaking.--
``(1) In general.--Notwithstanding any provisions set out
in this title that may limit or restrict the promulgation of
rules, and not later than 270 days after the date of enactment
of this subtitle, the Secretary, acting through the Director,
in coordination with the Director of National Intelligence, the
Director of the Office of Management and Budget, the Secretary
of Defense, and the National Cyber Director, shall promulgate
interim final rules, waiving prior public notice, and accepting
comments after the effective date in order to inform the final
rules--
``(A) that define `covered entity' for the purpose
of identifying entities subject to the cybersecurity
notification requirements of this section and which
shall include, at a minimum, Federal contractors,
owners or operators of critical infrastructure, as
determined appropriate by the Director based on
assessment of risks posed by compromise of critical
infrastructure operation, and nongovernmental entities
that provide cybersecurity incident response services;
``(B) that define `cybersecurity intrusion' and
`potential cybersecurity intrusion' for the purpose of
determining when a cybersecurity notification shall be
submitted under this section;
``(C) that define `cybersecurity threat
information' for the purpose of describing the threat
information to be included in a cybersecurity
notification under this section;
``(D) that define `confirmation of a cybersecurity
incident or potential cybersecurity incident' for the
purpose of determining when a notification obligation
is triggered;
``(E) that address whether a Federal agency or
covered entity shall be required to provide a
cybersecurity notification for a cybersecurity
intrusion of which the Federal agency or covered entity
is aware, but does not directly impact the networks or
information systems owned or operated by the Federal
agency or covered entity; and
``(F) that contain other provisions necessary to
implement the requirements of this subtitle.
``(2) Requirements for definitions.--At a minimum, the
definitions of `cybersecurity intrusion' and `potential
cybersecurity intrusion' required to be promulgated under
paragraph (1)(B) shall include a cybersecurity intrusion,
including an intrusion involving ransomware, that--
``(A) involves or is assessed to involve a nation-
state;
``(B) involves or is assessed to involve an
advanced persistent threat cyber actor;
``(C) involves or is assessed to involve a
transnational organized crime group (as defined in
section 36 of the State Department Basic Authorities
Act of 1956 (22 U.S.C. 2708));
``(D) results, or has the potential to result, in
demonstrable harm to the national security interests,
foreign relations, or economy of the United States or
to the public confidence, civil liberties, or public
health and safety of people in the United States;
``(E) is or is likely to be of significant national
consequence; or
``(F) is identified by covered entities but
affects, or has the potential to affect, agency
systems.
``(3) Required information for cybersecurity threat
information.--For purposes of the rules required to be
promulgated under paragraph (1)(B), the cybersecurity threat
information required to be included in a cybersecurity
notification shall include, at a minimum--
``(A) a description of the cybersecurity intrusion,
including identification of the affected systems and
networks that were, or are reasonably believed to have
been, accessed by a cyber actor, and the estimated
dates of when such an intrusion is believed to have
occurred;
``(B) a description of the vulnerabilities
leveraged, and tactics, techniques, and procedures used
by the cyber actors to conduct the intrusion;
``(C) any information that could reasonably help
identify the cyber actor, such as internet protocol
addresses, domain name service information, or samples
of malicious software; and
``(D) contact information, such as a telephone
number or electronic mail address, that a Federal
agency may use to contact the covered entity, either
directly or through an authorized agent of the covered
entity; and
``(E) actions taken to mitigate the intrusion.
``(4) Required consultation.--For purposes of the rules
required to be promulgated under paragraph (1), the Secretary,
acting through the Director, shall consult with appropriate
private sector stakeholders, as determined by the Secretary, in
coordination with the Director of National Intelligence, the
Director of the Office of Management and Budget, the Secretary
of Defense, and the National Cyber Director.
``(e) Required Response.--The Director shall develop and implement
a process to respond to a Federal agency or covered entity that submits
a cybersecurity notification under subsection (a) not later than 2
business days after the date on which the notification is submitted,
which shall notify the entity as to whether the Director requires
further information about the cybersecurity intrusion.
``(f) Required Coordination With Sector Risk Management or Other
Regulatory Agencies.--The Secretary of Homeland Security, acting
through the Director, in coordination with the head of each Sector Risk
Management Agency and other Federal agencies, as determined appropriate
by the Director, shall--
``(1) establish a set of reporting criteria for Sector Risk
Management Agencies and other Federal agencies as identified by
the Director to submit cybersecurity notifications regarding
cybersecurity incidents affecting covered entities in their
respective sectors or covered entities regulated by such
Federal agencies to the Agency through the Cyber Intrusion
Reporting Capabilities; and
``(2) take steps to harmonize the criteria described in
paragraph (1) with the regulatory reporting requirements in
effect on the date of enactment of this subtitle.
``(g) Protection From Liability.--No cause of action shall lie or
be maintained in any court by any person or entity, other than the
Federal Government pursuant to subsection (h) or any applicable law,
against any covered entity due to the submission by that person or
entity of a cybersecurity notification to the Agency through the Cyber
Intrusion Reporting System, in conformance with this subtitle and the
rules promulgated under subsection (d), and any such action shall be
promptly dismissed.
``(h) Enforcement.--
``(1) In general.--If, on the basis of any information, the
Director determines that a covered entity has violated, or is
in violation of, the requirements of this subtitle, including
rules promulgated under this subtitle, the Director may assess
a civil penalty not to exceed 0.5 percent of the entity's gross
revenue from the prior year for each day the violation
continued or continues.
``(2) Determination of amount.--The Director shall have the
authority to reduce or otherwise modify the civil penalties
assessed under paragraph (1) and may take into account
mitigating or aggravating factors, including the nature,
circumstances, extent, and gravity of the violations and, with
respect to the covered entity, the covered entity's ability to
pay, degree of culpability, and history of prior violations.
``(3) Procedures.--The Director shall establish procedures
for contesting civil penalties imposed under this section.
``(4) Covered entities with federal government contracts.--
In addition to the penalties authorized under this subsection,
if a covered entity with a Federal Government contract violates
the requirements of this subtitle, including rules promulgated
under this subtitle, the Administrator of the General Services
Administration may assess additional available penalties,
including removal from the Federal Contracting Schedule.
``(5) Federal agencies.--If a Federal agency violates the
requirements of this subtitle, the violation shall be referred
to the Inspector General for the agency, and shall be treated
by the Inspector General for the agency as a matter of urgent
concern.
``(i) Exemption.--All information collection activities under
sections 2232 and 2233 of this subtitle shall be exempt from the
requirements of sections 3506(c), 3507, 3508, and 3509 of title 44,
United States Code (commonly known as the `Paperwork Reduction Act').
``(j) Rule of Construction.--Nothing in this subtitle shall be
construed to supersede any reporting requirements under subchapter I of
chapter 35 of title 44, United States Code.
``SEC. 2234. PRESERVATION OF INFORMATION.
``(a) In General.--Not later than 60 days after the date of
enactment of this subtitle, the Secretary, acting through the Director,
in coordination with the Director of the Office of Management and
Budget, shall promulgate rules for data preservation standards and
requirements for Federal agencies and covered entities to assist with
cybersecurity intrusion response and associated investigatory
activities.
``(b) Minimum Requirements.--The rules for data preservation
promulgated under subsection (a) shall require, at a minimum, that a
Federal agency or covered entity that submits a cybersecurity
notification under this subtitle shall preserve all of the data
designated for preservation under such rules.
``SEC. 2235. ANALYSIS OF CYBERSECURITY NOTIFICATIONS.
``(a) Analysis.--
``(1) In general.--The Secretary, acting through the
Director, the Attorney General, and the Director of National
Intelligence, shall jointly develop procedures for ensuring any
cybersecurity notification submitted to the System is promptly
and appropriately analyzed to--
``(A) determine the impact of the breach or
intrusion on the national economy and national
security;
``(B) identify the potential source or sources of
the breach or intrusion;
``(C) recommend actions to mitigate the impact of
the breach or intrusion; and
``(D) provide information on methods of securing
the system or systems against future breaches or
intrusions.
``(2) Requirement.--The procedures required to be developed
under paragraph (1) shall include criteria for when rapid
analysis, notification, or public dissemination is required.
``(3) Authority.--The Secretary, acting through the
Director, the Attorney General, and the Director of National
Intelligence may each designate employees within each
respective agency who may search intelligence and law
enforcement information for cyber threat intelligence
information with a national security or public safety purpose,
based on cybersecurity notifications received by the Agency
through the Cyber Intrusion Reporting Capabilities, and
consistent with the procedures developed under paragraph (1).
``(b) Analytic Production.--
``(1) In general.--Not less frequently than once every 30
days, the Secretary, acting through the Director, the Attorney
General, and the Director of National Intelligence shall
produce a joint cyber threat intelligence report that
characterizes the current cyber threat picture facing Federal
agencies and covered entities.
``(2) Requirements.--Each report required to be produced
under paragraph (1)--
``(A) shall be in a form which may be made publicly
available;
``(B) may include a classified annex, as necessary;
and
``(C) shall, to the maximum extent practical,
anonymize attribution information from cybersecurity
notifications received through the Cyber Intrusion
Reporting Capabilities.
``(3) Authority to declassify.--The Director of National
Intelligence may declassify any analytic products, or portions
thereof, produced under this section if such declassification
is required to mitigate cyber threats facing the United
States.''.
(b) Table of Contents.--The table of contents in section 1(b) of
the Homeland Security Act of 2002 (Public Law 107-296; 116 Stat. 2135)
is amended by adding at the end the following:
``Subtitle C--Cybersecurity Intrusion Reporting Capabilities
``Sec. 2231. Definitions.
``Sec. 2232. Establishment of cybersecurity intrusion reporting
capabilities.
``Sec. 2233. Required notifications.
``Sec. 2234. Preservation of information.
``Sec. 2235. Analysis of cybersecurity notifications.''.
(c) Technical and Conforming Amendments.--Section 2202(c) of the
Homeland Security Act of 2002 (6 U.S.C. 652(c)) is amended--
(1) by redesignating the second and third paragraphs (12)
as paragraphs (14) and (15), respectively; and
(2) by inserting before paragraph (14), as so redesignated,
the following:
``(13) carry out the responsibilities described in subtitle
C relating to the cybersecurity intrusion reporting
capabilities;''.
<all>