Cyber Incident Notification Act of 2021

Cyber Incident Notification Act of 2021

This bill requires federal agencies and certain entities to report cybersecurity intrusion incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and addresses related issues.

Within 24 hours of a confirmed intrusion (or potential intrusion), the targeted agency or entity must report the intrusion to CISA.

CISA must promulgate rules relating to the bill, including the information that must be included in each incident report and the entities that must comply with the reporting requirements. At minimum, the covered entities must include federal contractors and owners or operators of critical infrastructure. Similarly, such rules must at minimum require federal agencies and covered entities to report all intrusions involving a nation-state, advanced persistent threat cyber actor, or transnational organized crime group.

If a covered entity fails to meet the bill's requirements, CISA may assess a civil penalty of up to 0.5% of the entity's gross revenue for each day the violation lasts. If the violating entity has federal contracts, the General Services Administration may impose additional penalties, including removal from the Federal Contracting Schedule.

A violation by a federal agency must be referred to that agency's office of the inspector general, which must treat the case as a matter of urgent concern.

CISA, the Department of Justice, and the Office of the Director of National Intelligence must provide periodic reports to Congress concerning the current cyber threat picture facing federal agencies and covered entities.