Collapse to view only § 681. Definitions
- § 681. Definitions
- § 681a. Cyber incident review
- § 681b. Required reporting of certain cyber incidents
- § 681c. Voluntary reporting of other cyber incidents
- § 681d. Noncompliance with required reporting
- § 681e. Information shared with or provided to the Federal Government
- § 681f. Cyber Incident Reporting Council
- § 681g. Federal sharing of incident reports
§ 681. DefinitionsIn this part:
(1) Center
(2) Council
(3) Covered cyber incident
(4) Covered entity
(5) Cyber incidentThe term “cyber incident”—
(A) has the meaning given the term “incident” in section 659 1
1 See References in Text note below.
of this title; and(B) does not include an occurrence that imminently, but not actually, jeopardizes—
(i) information on information systems; or
(ii) information systems.
(6) Cyber threat
(7) Federal entity
(8) Ransom payment
(9) Significant cyber incident
(10) Virtual currency
(11) Virtual currency address
(Pub. L. 107–296, title XXII, § 2240, as added Pub. L. 117–103, div. Y, § 103(a)(2), Mar. 15, 2022, 136 Stat. 1039; amended Pub. L. 117–263, div. G, title LXXI, § 7143(b)(2)(N), Dec. 23, 2022, 136 Stat. 3661.)
§ 681a. Cyber incident review
(a) ActivitiesThe Center shall—
(1) receive, aggregate, analyze, and secure, using processes consistent with the processes developed pursuant to the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501 et seq.) reports from covered entities related to a covered cyber incident to assess the effectiveness of security controls, identify tactics, techniques, and procedures adversaries use to overcome those controls and other cybersecurity purposes, including to assess potential impact of cyber incidents on public health and safety and to enhance situational awareness of cyber threats across critical infrastructure sectors;
(2) coordinate and share information with appropriate Federal departments and agencies to identify and track ransom payments, including those utilizing virtual currencies;
(3) leverage information gathered about cyber incidents to—
(A) enhance the quality and effectiveness of information sharing and coordination efforts with appropriate entities, including agencies, sector coordinating councils, Information Sharing and Analysis Organizations, State, local, Tribal, and territorial governments, technology providers, critical infrastructure owners and operators, cybersecurity and cyber incident response firms, and security researchers; and
(B) provide appropriate entities, including sector coordinating councils, Information Sharing and Analysis Organizations, State, local, Tribal, and territorial governments, technology providers, cybersecurity and cyber incident response firms, and security researchers, with timely, actionable, and anonymized reports of cyber incident campaigns and trends, including, to the maximum extent practicable, related contextual information, cyber threat indicators, and defensive measures, pursuant to section 681e of this title;
(4) establish mechanisms to receive feedback from stakeholders on how the Agency can most effectively receive covered cyber incident reports, ransom payment reports, and other voluntarily provided information, and how the Agency can most effectively support private sector cybersecurity;
(5) facilitate the timely sharing, on a voluntary basis, between relevant critical infrastructure owners and operators of information relating to covered cyber incidents and ransom payments, particularly with respect to ongoing cyber threats or security vulnerabilities and identify and disseminate ways to prevent or mitigate similar cyber incidents in the future;
(6) for a covered cyber incident, including a ransomware attack, that also satisfies the definition of a significant cyber incident, or is part of a group of related cyber incidents that together satisfy such definition, conduct a review of the details surrounding the covered cyber incident or group of those incidents and identify and disseminate ways to prevent or mitigate similar incidents in the future;
(7) with respect to covered cyber incident reports under section 1
1 So in original. Probably should be “sections”.
681b(a) and 681c of this title involving an ongoing cyber threat or security vulnerability, immediately review those reports for cyber threat indicators that can be anonymized and disseminated, with defensive measures, to appropriate stakeholders, in coordination with other divisions within the Agency, as appropriate;(8) publish quarterly unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations based on covered cyber incident reports, which may be based on the unclassified information contained in the briefings required under subsection (c);
(9) proactively identify opportunities, consistent with the protections in section 681e of this title, to leverage and utilize data on cyber incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations, to the greatest extent practicable; and
(10) in accordance with section 681e of this title and subsection (b) of this section, as soon as possible but not later than 24 hours after receiving a covered cyber incident report, ransom payment report, voluntarily submitted information pursuant to section 681c of this title, or information received pursuant to a request for information or subpoena under section 681d of this title, make available the information to appropriate Sector Risk Management Agencies and other appropriate Federal agencies.
(b) Interagency sharingThe President or a designee of the President—
(1) may establish a specific time requirement for sharing information under subsection (a)(10); and
(2) shall determine the appropriate Federal agencies under subsection (a)(10).
(c) Periodic briefingNot later than 60 days after the effective date of the final rule required under section 681b(b) of this title, and on the first day of each month thereafter, the Director, in consultation with the National Cyber Director, the Attorney General, and the Director of National Intelligence, shall provide to the majority leader of the Senate, the minority leader of the Senate, the Speaker of the House of Representatives, the minority leader of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Committee on Homeland Security of the House of Representatives a briefing that characterizes the national cyber threat landscape, including the threat facing Federal agencies and covered entities, and applicable intelligence and law enforcement information, covered cyber incidents, and ransomware attacks, as of the date of the briefing, which shall—
(1) include the total number of reports submitted under sections 681b and 681c of this title during the preceding month, including a breakdown of required and voluntary reports;
(2) include any identified trends in covered cyber incidents and ransomware attacks over the course of the preceding month and as compared to previous reports, including any trends related to the information collected in the reports submitted under sections 681b and 681c of this title, including—
(A) the infrastructure, tactics, and techniques malicious cyber actors commonly use; and
(B) intelligence gaps that have impeded, or currently are impeding, the ability to counter covered cyber incidents and ransomware threats;
(3) include a summary of the known uses of the information in reports submitted under sections 681b and 681c of this title; and
(4) include an unclassified portion, but may include a classified component.
(Pub. L. 107–296, title XXII, § 2241, as added Pub. L. 117–103, div. Y, § 103(a)(2), Mar. 15, 2022, 136 Stat. 1040.)
§ 681b. Required reporting of certain cyber incidents
(a) In general
(1) Covered cyber incident reports
(A) In general
(B) Limitation
(2) Ransom payment reports
(A) In general
(B) Application
(3) Supplemental reports
(4) Preservation of information
(5) Exceptions
(A) Reporting of covered cyber incident with ransom payment
(B) Substantially similar reported information
(i) In general
(ii) Limitation
(iii) Rules of constructionNothing in this paragraph shall be construed to—(I) exempt a covered entity from the reporting requirements under paragraph (3) unless the supplemental report also meets the requirements of clauses (i) and (ii) of this paragraph; 1
1 So in original. Probably should be “subparagraph”.
(II) prevent the Agency from contacting an entity submitting information to another Federal agency that is provided to the Agency pursuant to section 681g of this title; or(III) prevent an entity from communicating with the Agency.(C) Domain name system
(6) Manner, timing, and form of reports
(7) Effective date
(b) Rulemaking
(1) Notice of proposed rulemaking
(2) Final rule
(3) Subsequent rulemakings
(A) In general
(B) Procedures
(c) ElementsThe final rule issued pursuant to subsection (b) shall be composed of the following elements:
(1) A clear description of the types of entities that constitute covered entities, based on—
(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
(B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
(C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
(2) A clear description of the types of substantial cyber incidents that constitute covered cyber incidents, which shall—
(A) at a minimum, require the occurrence of—
(i) a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
(ii) a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against 2
2 So in original. Probably should be followed by a dash.
(I) an information system or network; or(II) an operational technology system or process; or(iii) unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise;
(B) consider—
(i) the sophistication or novelty of the tactics used to perpetrate such a cyber incident, as well as the type, volume, and sensitivity of the data at issue;
(ii) the number of individuals directly or indirectly affected or potentially affected by such a cyber incident; and
(iii) potential impacts on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers; and
(C) exclude—
(i) any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system; and
(ii) the threat of disruption as extortion, as described in section 681(14)(A) 3
3 See References in Text note below.
of this title.(3) A requirement that, if a covered cyber incident or a ransom payment occurs following an exempted threat described in paragraph (2)(C)(ii), the covered entity shall comply with the requirements in this part in reporting the covered cyber incident or ransom payment.
(4) A clear description of the specific required contents of a report pursuant to subsection (a)(1), which shall include the following information, to the extent applicable and available, with respect to a covered cyber incident:
(A) A description of the covered cyber incident, including—
(i) identification and a description of the function of the affected information systems, networks, or devices that were, or are reasonably believed to have been, affected by such cyber incident;
(ii) a description of the unauthorized access with substantial loss of confidentiality, integrity, or availability of the affected information system or network or disruption of business or industrial operations;
(iii) the estimated date range of such incident; and
(iv) the impact to the operations of the covered entity.
(B) Where applicable, a description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber incident.
(C) Where applicable, any identifying or contact information related to each actor reasonably believed to be responsible for such cyber incident.
(D) Where applicable, identification of the category or categories of information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person.
(E) The name and other information that clearly identifies the covered entity impacted by the covered cyber incident, including, as applicable, the State of incorporation or formation of the covered entity, trade names, legal names, or other identifiers.
(F) Contact information, such as telephone number or electronic mail address, that the Agency may use to contact the covered entity or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission of, and at the direction of, the covered entity to assist with compliance with the requirements of this part.
(5) A clear description of the specific required contents of a report pursuant to subsection (a)(2), which shall be the following information, to the extent applicable and available, with respect to a ransom payment:
(A) A description of the ransomware attack, including the estimated date range of the attack.
(B) Where applicable, a description of the vulnerabilities, tactics, techniques, and procedures used to perpetrate the ransomware attack.
(C) Where applicable, any identifying or contact information related to the actor or actors reasonably believed to be responsible for the ransomware attack.
(D) The name and other information that clearly identifies the covered entity that made the ransom payment or on whose behalf the payment was made.
(E) Contact information, such as telephone number or electronic mail address, that the Agency may use to contact the covered entity that made the ransom payment or an authorized agent of such covered entity, or, where applicable, the service provider of such covered entity acting with the express permission of, and at the direction of, that covered entity to assist with compliance with the requirements of this part.
(F) The date of the ransom payment.
(G) The ransom payment demand, including the type of virtual currency or other commodity requested, if applicable.
(H) The ransom payment instructions, including information regarding where to send the payment, such as the virtual currency address or physical address the funds were requested to be sent to, if applicable.
(I) The amount of the ransom payment.
(6) A clear description of the types of data required to be preserved pursuant to subsection (a)(4), the period of time for which the data is required to be preserved, and allowable uses, processes, and procedures.
(7) Deadlines and criteria for submitting supplemental reports to the Agency required under subsection (a)(3), which shall—
(A) be established by the Director in consultation with the Council;
(B) consider any existing regulatory reporting requirements similar in scope, purpose, and timing to the reporting requirements to which such a covered entity may also be subject, and make efforts to harmonize the timing and contents of any such reports to the maximum extent practicable;
(C) balance the need for situational awareness with the ability of the covered entity to conduct cyber incident response and investigations; and
(D) provide a clear description of what constitutes substantial new or different information.
(8) Procedures for—
(A) entities, including third parties pursuant to subsection (d)(1), to submit reports required by paragraphs (1), (2), and (3) of subsection (a), including the manner and form thereof, which shall include, at a minimum, a concise, user-friendly web-based form;
(B) the Agency to carry out—
(i) the enforcement provisions of section 681d of this title, including with respect to the issuance, service, withdrawal, referral process, and enforcement of subpoenas, appeals and due process procedures;
(ii) other available enforcement mechanisms including acquisition, suspension and debarment procedures; and
(iii) other aspects of noncompliance;
(C) implementing the exceptions provided in subsection (a)(5); and
(D) protecting privacy and civil liberties consistent with processes adopted pursuant to section 1504(b) of this title and anonymizing and safeguarding, or no longer retaining, information received and disclosed through covered cyber incident reports and ransom payment reports that is known to be personal information of a specific individual or information that identifies a specific individual that is not directly related to a cybersecurity threat.
(9) Other procedural measures directly necessary to implement subsection (a).
(d) Third party report submission and ransom payment
(1) Report submission
(2) Ransom payment
(3) Duty to report
(4) Responsibility to advise
(e) Outreach to covered entities
(1) In general
(2) ElementsThe outreach and education campaign under paragraph (1) shall include the following:
(A) An overview of the final rule issued pursuant to subsection (b).
(B) An overview of mechanisms to submit to the Agency covered cyber incident reports, ransom payment reports, and information relating to the disclosure, retention, and use of covered cyber incident reports and ransom payment reports under this section.
(C) An overview of the protections afforded to covered entities for complying with the requirements under paragraphs (1), (2), and (3) of subsection (a).
(D) An overview of the steps taken under section 681d of this title when a covered entity is not in compliance with the reporting requirements under subsection (a).
(E) Specific outreach to cybersecurity vendors, cyber incident response providers, cybersecurity insurance entities, and other entities that may support covered entities.
(F) An overview of the privacy and civil liberties requirements in this part.
(3) CoordinationIn conducting the outreach and education campaign required under paragraph (1), the Agency may coordinate with—
(A) the Critical Infrastructure Partnership Advisory Council established under section 451 of this title;
(B) Information Sharing and Analysis Organizations;
(C) trade associations;
(D) information sharing and analysis centers;
(E) sector coordinating councils; and
(F) any other entity as determined appropriate by the Director.
(f) Exemption
(g) Rule of construction
(h) Savings provision
(Pub. L. 107–296, title XXII, § 2242, as added Pub. L. 117–103, div. Y, § 103(a)(2), Mar. 15, 2022, 136 Stat. 1042.)
§ 681c. Voluntary reporting of other cyber incidents
(a) In general
(b) Voluntary provision of additional information in required reports
(c) Application of section 681e of this title
(Pub. L. 107–296, title XXII, § 2243, as added Pub. L. 117–103, div. Y, § 103(a)(2), Mar. 15, 2022, 136 Stat. 1049; amended Pub. L. 117–263, div. G, title LXXI, § 7143(e)(1), Dec. 23, 2022, 136 Stat. 3664.)
§ 681d. Noncompliance with required reporting
(a) Purpose
(b) Initial request for information
(1) In general
(2) Treatment
(c) Enforcement
(1) In general
(2) Civil action
(A) In general
(B) Venue
(C) Contempt of court
(3) Non-delegation
(4) Authentication
(A) In general
(B) Invalid if not authenticated
(d) Provision of certain information to Attorney General
(1) In general
(2) Consultation
(e) Considerations
When determining whether to exercise the authorities provided under this section, the Director shall take into consideration—
(1) the complexity in determining if a covered cyber incident has occurred; and
(2) prior interaction with the Agency or awareness of the covered entity of the policies and procedures of the Agency for reporting covered cyber incidents and ransom payments.
(f) Exclusions
(g) Report to Congress
The Director shall submit to Congress an annual report on the number of times the Director—
(1) issued an initial request for information pursuant to subsection (b);
(2) issued a subpoena pursuant to subsection (c); or
(3) referred a matter to the Attorney General for a civil action pursuant to subsection (c)(2).
(h) Publication of the annual report
The Director shall publish a version of the annual report required under subsection (g) on the website of the Agency, which shall include, at a minimum, the number of times the Director—
(1) issued an initial request for information pursuant to subsection (b); or
(2) issued a subpoena pursuant to subsection (c).
(i) Anonymization of reports
(Pub. L. 107–296, title XXII, § 2244, as added Pub. L. 117–103, div. Y, § 103(a)(2), Mar. 15, 2022, 136 Stat. 1049; amended Pub. L. 117–263, div. G, title LXXI, § 7143(e)(2), Dec. 23, 2022, 136 Stat. 3664.)
§ 681e. Information shared with or provided to the Federal Government
(a) Disclosure, retention, and use
(1) Authorized activitiesInformation provided to the Agency pursuant to section 681b or 681c of this title may be disclosed to, retained by, and used by, consistent with otherwise applicable provisions of Federal law, any Federal agency or department, component, officer, employee, or agent of the Federal Government solely for—
(A) a cybersecurity purpose;
(B) the purpose of identifying—
(i) a cyber threat, including the source of the cyber threat; or
(ii) a security vulnerability;
(C) the purpose of responding to, or otherwise preventing or mitigating, a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or use of a weapon of mass destruction;
(D) the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety; or
(E) the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a cyber incident reported pursuant to section 681b or 681c of this title or any of the offenses listed in section 1504(d)(5)(A)(v) of this title.
(2) Agency actions after receipt
(A) Rapid, confidential sharing of cyber threat indicators
(B) Principles for sharing security vulnerabilities
(3) Privacy and civil liberties
(4) Digital security
(5) Prohibition on use of information in regulatory actions
(A) In general
(B) Clarification
(b) Protections for reporting entities and informationReports describing covered cyber incidents or ransom payments submitted to the Agency by entities in accordance with section 681b of this title, as well as voluntarily-submitted cyber incident reports submitted to the Agency pursuant to section 681c of this title, shall—
(1) be considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity;
(2) be exempt from disclosure under section 552(b)(3) of title 5 (commonly known as the “Freedom of Information Act”), as well as any provision of State, Tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records;
(3) be considered not to constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection; and
(4) not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official.
(c) Liability protections
(1) In general
(2) Scope
(3) Restrictions
(d) Sharing with non-Federal entities
(e) Stored Communications Act
(Pub. L. 107–296, title XXII, § 2245, as added Pub. L. 117–103, div. Y, § 103(a)(2), Mar. 15, 2022, 136 Stat. 1051.)
§ 681f. Cyber Incident Reporting Council
(a) Responsibility of the Secretary
(b) Rule of construction
(Pub. L. 107–296, title XXII, § 2246, as added Pub. L. 117–103, div. Y, § 103(a)(2), Mar. 15, 2022, 136 Stat. 1054.)
§ 681g. Federal sharing of incident reports
(a) Cyber incident reporting sharing
(1) In general
(2) Rule of construction
(3) Protection of information
(4) Effective date
(5) Agency agreements
(A) In general
(B) Availability
(C) Requirement
(b) Harmonizing reporting requirements
The Secretary of Homeland Security, acting through the Director, shall, in consultation with the Cyber Incident Reporting Council described in section 681f of this title, as added by section 103 of this division, to the maximum extent practicable—
(1) periodically review existing regulatory requirements, including the information required in such reports, to report incidents and ensure that any such reporting requirements and procedures avoid conflicting, duplicative, or burdensome requirements; and
(2) coordinate with appropriate Federal partners and regulatory authorities that receive reports relating to incidents to identify opportunities to streamline reporting processes, and where feasible, facilitate interagency agreements between such authorities to permit the sharing of such reports, consistent with applicable law and policy, without impacting the ability of the Agency to gain timely situational awareness of a covered cyber incident or ransom payment.
(Pub. L. 117–103, div. Y, § 104, Mar. 15, 2022, 136 Stat. 1054.)