Back

Cyber Incident Notification Act of 2021 Draft Released

What is the Cyber Incident Notification Act of 2021 . What is the Cyber Incident Notification Act of 2021? . The Cyber Incident Notification Act of 2021 (CINA) is a legislative initiative designed to address cybersecurity concerns. The draft ...

6 min read
Published on Jun 22, 2021
cyber-incident-notification-act

What is the Cyber Incident Notification Act of 2021?

The Cyber Incident Notification Act (CINA) (read full text here) began circulating in draft format on June 16th. Led by Mark Warner, Senate Intelligence Chair, Marco Rubio, and Susan Collins, its emergence comes just one week after Colonial Pipelines’ CEO Tim Felt testified before both the House and Senate about the ransomware attack that saw gas prices and gas station lines surge through parts of the country. The bill is meant to speed up the reporting of cybersecurity incidents in an age where nation state linked treat actors are frequently attacking supply chains and infrastructure with increasingly catastrophic consequences.

UPDATE: The Cyber Incident Notification Act was introduced to the Senate on July 22nd, 2021 with bipartisan support from an additional 12 senators putting their names on the bill.

Who is Affected?

Much like the president’s recent executive order on cybersecurity, the Cyber Incident Notification Act of 2021 places its primary focus on the federal supply chain. However, the CINA expands this coverage to “covered entities” that includes owners and operators of critical infrastructure. 

The full definition of covered entities has not been drafted yet, and the bill tasks the Cybersecurity & Infrastructure Security Agency (CISA) with drafting a definition that will include “at a minimum, Federal contractors, owners or operators of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services.” 

Meanwhile in the federal supply chain, it will include “any contractor or subcontractor of the United States Government; except those that only hold service contracts to provide housekeeping or custodial services; or contracts to provide products or services unrelated to information technology below the micro-purchase threshold.”

Additionally, the act opens up CISA reporting to non-covered entities who may not be required to report. This openness has many benefits. It will increase the ability for the CISA to gather information on private sector attacks, as well as deepen the benefits of the public private partnerships that are already recognized as being critical factors in strengthening our countries cyber defenses. 

What Incidents Must be Reported?

The CINA requires that any covered entity report ANY incident that falls into the following categories. 

  • involves or is assessed to involve a nation-state
  • involves or is assessed to involve an advanced persistent threat cyber actor
  • involves or is assessed to involve a transnational organized crime group
  • results, or has the potential to result, in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of people in the United States
  • is or is likely to be of significant national consequence
  • is identified by covered entities but affects, or has the potential to affect, agency systems
  • involves ransomware

The demonstrable harm and ransomware bullets are probably going to be the most concerning when considering the enforcement actions that will be enacted for violations. With fines of 0.5% of annual gross revenue, it will be best to err on the side of caution and report everything. 

What Must Be Reported?

While we are still waiting on the NIST standards on incident reporting, the CINA lays out minimum reporting requirements. We can expect this standard to be amended to include NIST guidance on mandatory incident information sharing once those guideline are published later this year.

At a minimum, reports should include:

  • A description of the intrusion, including 
    • Identification of affected systems and networks that were or are believed to have been breached 
    • Estimated dates of when such an intrusion is believed to have occurred;
  • a description of treat actor activities including:
    • Vulnerabilities leveraged
    • Tactics used
    • Techniques used
    • Procedures used
  • Any information that could reasonably help identify the cyber actor, such as 
    • Internet protocol addresses
    • Domain name service information
    • Samples of malicious software
  • Contact information, such as a telephone number or electronic mail address, that a Federal agency may use to contact the reporting entity, either directly or through an authorized agent of the covered entity.
  • Actions taken to mitigate the intrusion

Timeline for Reporting

After confirmation of an intrusion or potential intrusion, organizations have 24 hours to submit a notification with the above information to CIRT’s Cyber Intrusion Reporting Capabilities. The only exception is if the organization is required by another federal organization or requirement to report in a SHORTER time frame. As new information is discovered, updates must be submitted within 72 hours of discovery. These updates are mandated until the event is mitigated or any follow-up investigations are completed. 

New Standards for Information Preservation

The draft bill calls for CISA to create rules for data preservation standards. This could be problematic for cloud service providers and SaaS companies, as there is a more than slight chance that CISA will adopt the existing rules in DFARS 7012, which requires that victims of cyberattacks preserve and protect images of all known affected information systems identified in paragraph and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest. Upon request by CISA, the Contractor could be required to provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

This is problematic on many fronts, as the distributed architecture of many cloud platforms and software are such that a service may not reside on a single server, and may span hundreds or thousands of servers for a single customer, making adherence difficult for SaaS providers.

Penalties for Violating the Cyber Incident Notification Act

There are three tiers of penalties for organizations that fail to report under these proposed rules.

  • Government contractors “shall be subject to penalties determined by the Administrator of the General Services Administration, which may include removal from the Federal Contracting Schedules.”
  • Organizations without government contracts “shall be subject to financial penalties equal to 0.5 percent per day of the entity’s gross revenue from the prior year.”
  • Federal agency violations “shall be referred to the Inspector General for the agency, and shall be treated as a matter of urgent concern.”

Protections from Liability

One point of grace within the Cyber Incident Notification Act is an indemnification from liability for reporting breaches. “No cause of action shall lie or be maintained in any court by any person or entity, other than the Federal Government pursuant to subsection (g) or any applicable law, against any covered entity due to the submission of a cybersecurity notification to the Agency through the Cyber Intrusion Reporting System, in conformance with this subtitle and the rules promulgated under subsection (d), and any such action shall be promptly dismissed.”

Next Steps

As we learned from Schoolhouse Rock’s “I’m Just a Bill”, “It’s a long-long wait while waiting in committee.” and it may be months before we see the final version of the legislation. However, with the recent executive orders, increased adoption of stronger cybersecurity standards across all industries, it is wise to make sure your organization is prepared for new requirements. Even more important is making sure that you don’t wind up sitting in front of a select committee explaining why you didn’t take basic precautions to protect and monitor your environment. 

Agile IT has experience implementing Enhanced Detection and Response (XDR), Zero Trust Architecture, NIST, ITAR and CMMC compliant environments for Defense, Federal, State and Local Governments, regulated industries and critical infrastructure. If you want to learn more about how we leverage Microsoft security tools to reduce complexity and costs while hardening environments, schedule a free consultation.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

Risks of not using a CMMC RPO

The Risks of Not Using a CMMC RPO for Compliance and Certification Readiness

A CMMC RPO helps organizations prepare for certification and avoid compliance failures. Learn why working with an RPO is essential for achieving CMMC compliance.

Mar 20, 2025
8 min read
CMMC 2.0 Require GCC High for Compliance

Does CMMC 2.0 Require GCC High for Compliance?

Does CMMC 2.0 require GCC High? Learn the cloud options for compliance, data security, and protecting CUI under NIST 800-171 and DFARS.

Mar 17, 2025
10 min read
Office 365 License Comparison: Business Plans Vs. E5, E3 and E1

CMMC RPO vs a C3PAO: Understanding Their Roles in Compliance

Understanding the difference between an RPO and a C3PAO is crucial for CMMC compliance. Learn why they should be separate and how an RPO helps prepare for certification.

Mar 15, 2025
6 min read
Can You Meet CMMC with Google Workspace?

Can You Meet CMMC with Google Workspace?

Is Google Workspace CMMC compliant? Learn about its DFARS, NIST 800-171, and ITAR limitations and how migrating to GCC High ensures full compliance.

Mar 4, 2025
7 min read
Is Maintaining a GCC High Tenant Worth It for Non-Government

Evaluating the Need for a GCC High Tenant in Non-Government Organizations

Explore whether maintaining a GCC High tenant is necessary for organizations not involved in government work. Understand the pros and cons, costs, and compliance considerations.

Feb 25, 2025
7 min read
Top 10 Reasons to Partner with an MSP for Security and Compliance

Top 10 Reasons to Partner with an MSP for Security and Compliance

Discover why partnering with an MSP for security and compliance is critical for organizations navigating FAR CUI and CMMC requirements.

Feb 21, 2025
8 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation