View all text of Part D [§ 681 - § 681g]
§ 681b. Required reporting of certain cyber incidents
(a) In general
(1) Covered cyber incident reports
(A) In general
(B) Limitation
(2) Ransom payment reports
(A) In general
(B) Application
(3) Supplemental reports
(4) Preservation of information
(5) Exceptions
(A) Reporting of covered cyber incident with ransom payment
(B) Substantially similar reported information
(i) In general
(ii) Limitation
(iii) Rules of constructionNothing in this paragraph shall be construed to—(I) exempt a covered entity from the reporting requirements under paragraph (3) unless the supplemental report also meets the requirements of clauses (i) and (ii) of this paragraph; 1
1 So in original. Probably should be “subparagraph”.
(II) prevent the Agency from contacting an entity submitting information to another Federal agency that is provided to the Agency pursuant to section 681g of this title; or(III) prevent an entity from communicating with the Agency.(C) Domain name system
(6) Manner, timing, and form of reports
(7) Effective date
(b) Rulemaking
(1) Notice of proposed rulemaking
(2) Final rule
(3) Subsequent rulemakings
(A) In general
(B) Procedures
(c) ElementsThe final rule issued pursuant to subsection (b) shall be composed of the following elements:
(1) A clear description of the types of entities that constitute covered entities, based on—
(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
(B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
(C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
(2) A clear description of the types of substantial cyber incidents that constitute covered cyber incidents, which shall—
(A) at a minimum, require the occurrence of—
(i) a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
(ii) a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against 2
2 So in original. Probably should be followed by a dash.
(I) an information system or network; or(II) an operational technology system or process; or(iii) unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise;
(B) consider—
(i) the sophistication or novelty of the tactics used to perpetrate such a cyber incident, as well as the type, volume, and sensitivity of the data at issue;
(ii) the number of individuals directly or indirectly affected or potentially affected by such a cyber incident; and
(iii) potential impacts on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers; and
(C) exclude—
(i) any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system; and
(ii) the threat of disruption as extortion, as described in section 681(14)(A) 3
3 See References in Text note below.
of this title.(3) A requirement that, if a covered cyber incident or a ransom payment occurs following an exempted threat described in paragraph (2)(C)(ii), the covered entity shall comply with the requirements in this part in reporting the covered cyber incident or ransom payment.
(4) A clear description of the specific required contents of a report pursuant to subsection (a)(1), which shall include the following information, to the extent applicable and available, with respect to a covered cyber incident:
(A) A description of the covered cyber incident, including—
(i) identification and a description of the function of the affected information systems, networks, or devices that were, or are reasonably believed to have been, affected by such cyber incident;
(ii) a description of the unauthorized access with substantial loss of confidentiality, integrity, or availability of the affected information system or network or disruption of business or industrial operations;
(iii) the estimated date range of such incident; and
(iv) the impact to the operations of the covered entity.
(B) Where applicable, a description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber incident.
(C) Where applicable, any identifying or contact information related to each actor reasonably believed to be responsible for such cyber incident.
(D) Where applicable, identification of the category or categories of information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person.
(E) The name and other information that clearly identifies the covered entity impacted by the covered cyber incident, including, as applicable, the State of incorporation or formation of the covered entity, trade names, legal names, or other identifiers.
(F) Contact information, such as telephone number or electronic mail address, that the Agency may use to contact the covered entity or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission of, and at the direction of, the covered entity to assist with compliance with the requirements of this part.
(5) A clear description of the specific required contents of a report pursuant to subsection (a)(2), which shall be the following information, to the extent applicable and available, with respect to a ransom payment:
(A) A description of the ransomware attack, including the estimated date range of the attack.
(B) Where applicable, a description of the vulnerabilities, tactics, techniques, and procedures used to perpetrate the ransomware attack.
(C) Where applicable, any identifying or contact information related to the actor or actors reasonably believed to be responsible for the ransomware attack.
(D) The name and other information that clearly identifies the covered entity that made the ransom payment or on whose behalf the payment was made.
(E) Contact information, such as telephone number or electronic mail address, that the Agency may use to contact the covered entity that made the ransom payment or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission of, and at the direction of, that covered entity to assist with compliance with the requirements of this part.
(F) The date of the ransom payment.
(G) The ransom payment demand, including the type of virtual currency or other commodity requested, if applicable.
(H) The ransom payment instructions, including information regarding where to send the payment, such as the virtual currency address or physical address the funds were requested to be sent to, if applicable.
(I) The amount of the ransom payment.
(6) A clear description of the types of data required to be preserved pursuant to subsection (a)(4), the period of time for which the data is required to be preserved, and allowable uses, processes, and procedures.
(7) Deadlines and criteria for submitting supplemental reports to the Agency required under subsection (a)(3), which shall—
(A) be established by the Director in consultation with the Council;
(B) consider any existing regulatory reporting requirements similar in scope, purpose, and timing to the reporting requirements to which such a covered entity may also be subject, and make efforts to harmonize the timing and contents of any such reports to the maximum extent practicable;
(C) balance the need for situational awareness with the ability of the covered entity to conduct cyber incident response and investigations; and
(D) provide a clear description of what constitutes substantial new or different information.
(8) Procedures for—
(A) entities, including third parties pursuant to subsection (d)(1), to submit reports required by paragraphs (1), (2), and (3) of subsection (a), including the manner and form thereof, which shall include, at a minimum, a concise, user-friendly web-based form;
(B) the Agency to carry out—
(i) the enforcement provisions of section 681d of this title, including with respect to the issuance, service, withdrawal, referral process, and enforcement of subpoenas, appeals and due process procedures;
(ii) other available enforcement mechanisms including acquisition, suspension and debarment procedures; and
(iii) other aspects of noncompliance;
(C) implementing the exceptions provided in subsection (a)(5); and
(D) protecting privacy and civil liberties consistent with processes adopted pursuant to section 1504(b) of this title and anonymizing and safeguarding, or no longer retaining, information received and disclosed through covered cyber incident reports and ransom payment reports that is known to be personal information of a specific individual or information that identifies a specific individual that is not directly related to a cybersecurity threat.
(9) Other procedural measures directly necessary to implement subsection (a).
(d) Third party report submission and ransom payment
(1) Report submission
(2) Ransom payment
(3) Duty to report
(4) Responsibility to advise
(e) Outreach to covered entities
(1) In general
(2) ElementsThe outreach and education campaign under paragraph (1) shall include the following:
(A) An overview of the final rule issued pursuant to subsection (b).
(B) An overview of mechanisms to submit to the Agency covered cyber incident reports, ransom payment reports, and information relating to the disclosure, retention, and use of covered cyber incident reports and ransom payment reports under this section.
(C) An overview of the protections afforded to covered entities for complying with the requirements under paragraphs (1), (2), and (3) of subsection (a).
(D) An overview of the steps taken under section 681d of this title when a covered entity is not in compliance with the reporting requirements under subsection (a).
(E) Specific outreach to cybersecurity vendors, cyber incident response providers, cybersecurity insurance entities, and other entities that may support covered entities.
(F) An overview of the privacy and civil liberties requirements in this part.
(3) CoordinationIn conducting the outreach and education campaign required under paragraph (1), the Agency may coordinate with—
(A) the Critical Infrastructure Partnership Advisory Council established under section 451 of this title;
(B) Information Sharing and Analysis Organizations;
(C) trade associations;
(D) information sharing and analysis centers;
(E) sector coordinating councils; and
(F) any other entity as determined appropriate by the Director.
(f) Exemption
(g) Rule of construction
(h) Savings provision
(Pub. L. 107–296, title XXII, § 2242, as added Pub. L. 117–103, div. Y, § 103(a)(2), Mar. 15, 2022, 136 Stat. 1042.)