Is There a Path Forward in Congress for Mandatory Cyber Incident Reporting?

A group of lawmakers are pushing to get cybersecurity incident reporting requirements signed into law as a top priority for Congress in 2022 after it was left out of the latest National Defense Authorization Act.

Rep. Yvette Clarke (D-N.Y.), chairwoman of the Subcommittee on Cybersecurity, Infrastructure Protection and Innovation, told FCW on Wednesday that she and her House colleagues are hoping to include mandatory reporting requirements in the "next available vehicle" and said she confident a compromise can be made with Senate counterparts in a debate which has persisted for over a year.

That debate, Rep. Clarke suggested, is now boiling down to a single question: Should Congress use a carrot or a stick when it comes to incentivizing private companies to report incidents and ransomware attacks to the Cybersecurity and Infrastructure Security Agency?

...

The 2022 NDAA includes several measures aimed at improving federal cyber posture and the ability to respond to cyber incidents, but the legislation did not include a mandatory reporting requirement sought in separate House and Senate bills.

"I think there are good provisions in there, but it's just not enough," said Laura Brent, senior fellow at the Center for a New American Security. "It's good that so much made it into the NDAA, but we can't wait for the NDAA to pass all necessary cyber legislation, so I do hope there is effective standalone work on cyber incident reporting going forward."

Read the full story and more from FCW.