July 1, 2022

Volume XII, Number 182

Advertisement
Advertisement

June 30, 2022

Subscribe to Latest Legal News and Analysis

June 29, 2022

Subscribe to Latest Legal News and Analysis

June 28, 2022

Subscribe to Latest Legal News and Analysis

Cybersecurity Act Signed Into Law Creates New Reporting Obligations

President Biden recently signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as a part of a larger omnibus appropriations bill.  The new law sets out mandatory reporting requirements for critical infrastructure entities in the event of certain cyber incidents and ransomware payments.  Under the Act, once implementing regulations are issued (which are not expected this year) covered entities will be subject to two new reporting requirements:  

  • Covered entities must report covered cyber incidents no later than 72 hours after the covered entity reasonably believes that an incident has occurred.

  • Covered entities that make ransom payments as a result of a ransomware attack against critical infrastructure must report the payment no later than 24 hours after payment has been made.

While the general reporting timeframes are clear, the questions of who is impacted by this Act, what incidents must be reported, and what the reporting process requires are decidedly less clear. The Cybersecurity and Infrastructure Security Agency (CISA) will be issuing rules addressing those points. A proposed rule is to be issued within 24 months, and the Director of CISA is to issue a final rule within 18 months of issuance of the proposed rule.  As part of the rulemaking, CISA will further define the scope of critical infrastructure entities that are covered. It is hoped that the rulemaking will also include a more clear description of what constitutes a substantial cyber incident. The requirements will not go into effect until CISA issues its rules.

The Act outlines strict enforcement mechanisms to ensure compliance with the Act.  If CISA suspects a covered entity has not submitted a required report, CISA will ask the entity to disclose an incident. If the entity does not respond within 72 hours, CISA can subpoena the entity for more information.  Failure to comply with the subpoena can result in civil penalties and/or suspension and debarment from federal contracting.

Putting it into Practice:  Reporting requirements will not be effective immediately, but companies that generally operate in critical infrastructure sectors should review the Act and proposed rulemaking when it is released to determine if they will be subject to the reporting requirements. Companies also may consider submitting comments on the proposed rule to participate in the rulemaking process and reviewing their incident response plans for potential updates to be made based on the new rules. 

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 88
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Townsend Bourne, Government Affairs Attorney, Sheppard Mullin Law FIrm
Associate

Ms. Bourne's practice focuses on Government Contracts law and litigation. Her experience includes complex litigation in connection with the False Claims Act, bid protest actions both challenging and defending agency decisions on contract awards before the Government Accountability Office and Court of Federal Claims, claims litigation before the Armed Services Board of Contract Appeals and the Civilian Board of Contract Appeals, investigating and preparing contractor claims, and conducting internal investigations. 

Ms. Bourne advises clients on a...

202-469-4917
Lauren Weiss Associate Washington D.C. Sheppard, Mullin, Richter & Hampton LLP
Associate

Lauren Weiss is an associate in the Government Contracts, Investigations & International Trade Practice Group in the firm's Washington, D.C. office.

Areas of Practice Lauren’s practice focuses on government contracts litigation, investigations, and counseling matters including the following areas:  Cybersecurity counseling, Internal Investigations, Regulatory compliance,  Bid protests before the U.S. Government Accountability Office, Civil False Claims Act litigation defense, and Transactional due diligence.

Prior...

202-747-2678
Advertisement
Advertisement
Advertisement