June 27, 2022

Volume XII, Number 178


June 24, 2022

Subscribe to Latest Legal News and Analysis

The US Government Has a New Stopwatch for Cyber Incident Reporting: What You Need to Know Now

Amid the escalating conflict in Ukraine and concerns of Russian cyber threats to the United States, President Joe Biden recently signed a $1.5 trillion government spending deal with serious cybersecurity reporting obligations for critical infrastructure operators intended to shore up protection of American infrastructure. The Strengthening American Cybersecurity Act —attached to the spending package that funds the federal government until September —requires “critical infrastructure operators” to report cyber incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a cyber-attack, and within 24 hours of a ransomware payment. In light of the new requirements, companies should ensure that their critical incident response plan can function at the required tempo.

Companies considered “critical infrastructure” and subject to the reporting requirements include those in the energy, food and agriculture, information technology, transportation systems, healthcare and public health, commercial facilities, and communications industries, among others.1 Companies who abide by the new reporting measures, can expect limited liability, and trade secret protection in exchange for their compliance. The bill also grants CISA the power to subpoena entities that don’t report a cyber incident or ransomware payment and the ability to make referrals to the Department of Justice for enforcement actions. Noncompliant companies could also face debarment and other financial penalties.

House and Senate members have praised the bill as timely, particularly as cybersecurity concerns continue to rise as a result of U.S. sanctions against Russia for its invasion of Ukraine. “The Cyber Incident Reporting for Critical Infrastructure Act, included within the Consolidated Appropriations Act, 2022, is one of the most significant pieces of cybersecurity legislation in the past decade,” said representatives for the Committee on Homeland Security in a press release issued just the day before the bill’s passage.

An added goal of the reporting requirements is to strengthen relationships between the public and private sectors. CISA Director Jen Easterly called the bill a “game-changer,” also saying that “CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure.”

The bill tasks CISA with developing clear requirements on exactly what should be reported and by whom. CISA has 24 months to publish a notice of proposed rulemaking in the Federal Register, but will likely begin promulgating rules much sooner due to the increase in cyberattacks, along with the ongoing conflict between Russia and Ukraine. In the meantime, diligent critical infrastructure operators should begin adjusting incident response plans to increase monitoring and responsiveness in order to ensure compliance with the new requirements.


1. The bill references Presential Directive 21, which identifies 16 critical infrastructure sectors.

© 2022 Bracewell LLPNational Law Review, Volume XII, Number 76

About this Author

Seth DuCharme Insurance Lawyer Bracewell LLP

Seth DuCharme draws on his 14 years of experience as a senior-level law enforcement officer to advise companies and individuals on cases involving cybersecurity and breach response, Foreign Corrupt Practices Act (FCPA) diligence and litigation, export controls, sanctions compliance and anti-money laundering.

Seth served in the United States Attorney’s Office for the Eastern District of New York from 2008 through 2021. He held various positions at the Eastern District, including Chief of the Criminal Division, Chief of the National Security & Cybercrime Section, and Acting United...

Brittney Justice Litigation Attorney Bracewell

Brittney Justice represents clients across a range of industries in litigation and government enforcement and investigations in federal and state courts. She provides advice on diverse matters, including securities litigation, complex commercial disputes, environmental claims and government investigations. 

Prior to joining Bracewell, Brittney was a legal intern with Texas’ First Court of Appeals.

Claire Cahoon Litigation Attorney Bracewell Law Firm

Claire Cahoon focuses her practice on complex commercial litigation and appeals. Prior to joining Bracewell, Claire served as a legal extern in the United States Attorney’s Office for the Northern District of Texas.


Southern Methodist University Dedman School of Law, J.D.

2020 - magna cum laude

University of Southern California, B.A.

2016 - magna cum laude

Bar Admissions



Spanish — proficient

Anissa L. Adas Commercial Litigation Lawyer Bracewell

Anissa Adas focuses her practice on complex commercial litigation and appeals, compliance reviews and white collar criminal defense. During law school, she served as a judicial intern for the Honorable Marian Blank Horn of the United States Court of Federal Claims.

Anissa has also handled pro bono matters involving immigration and criminal defense.