President Biden signed the $1.5 trillion “Consolidated Appropriations Act, 2022,” which included language requiring critical infrastructure operators (utilities, banks, etc.) to report a known breach to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The measure would also require entities to report any ransom paid as a result of a ransomware attack within 24 hours.
CISA will have 24 months to issue a notice of proposed rulemaking on the law and an additional 18 months to issue a final rule thereafter. However, given the current state of heightened cybersecurity awareness, it is likely that CISA will issue a rule on a much more aggressive timeline than is allowable under the law.
The reporting requirement will not go into effect until rulemaking is completed.