Approved by the House of Representatives on March 9, 2022 and the Senate on March 10 as Division Y of H.R. 2471, the Consolidated Appropriations Act of 2022.

Brief summary:

This legislation amends the Homeland Security Act of 2002 (6 U.S.C. 651) to require covered critical infrastructure owners and operators to report defined cyber incidents to DHS’ Cybersecurity Information and Security Agency (CISA) within 72 hours of having a reasonable belief that an incident has occurred. Covered entities would also have to report to CISA within 24 of making a ransom payment related to a cyber incident, after considering alternatives to making the ransom payment. CISA will conduct rulemaking to develop the details of the program, including precise definitions of “covered entities” subject to the reporting requirements.

Applicability to water systems:

While the legislation makes no reference to drinking water or wastewater utilities, it is highly likely that at least some systems will meet the definition of “covered entities” subject to the law, when CISA completes its rulemaking. However, the water sector and other stakeholders will have an opportunity to engage with CISA and submit comments on the proposed rule as it is developed and finalized. The legislation could also present opportunities for WaterISAC to serve as a conduit for cyber threat information between CISA and water systems, and to aid water systems in submitting required incident and ransom reports to the agency. Read the attachment for a summary of specific additions to the Homeland Security Act.