Sen. Gary Peters, D-Mich., chairman of the Senate Committee on Homeland Security and Governmental Affairs, and Sen. Rob Portman, R-Ohio, the committee’s ranking member, have introduced bipartisan legislation to require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyber-attack, and most entities to report if they make a ransomware payment.

The Cyber Incident Reporting Act, which builds on legislation authored by U.S. Representatives Yvette Clarke (D-NY) and John Katko (R-NY), would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a cyber-attack.

The bill also creates a requirement for other organizations, including nonprofits, businesses with more than 50 employees, and state and local governments, to notify the federal government within 24 hours if they make a ransom payment. The legislation directs federal agencies that are notified of attacks to provide that information to CISA and creates a Cybersecurity Incident Reporting Council to coordinate federal reporting requirements.

The bill provides CISA with the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Entities that fail to comply with the subpoena can be referred to the Department of Justice and barred from contracting with the federal government.

The legislation would also require entities who plan on making a ransom payment to evaluate alternatives before making the payment. Finally, the bill requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the National Cyber Director to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks.

The federal rulemaking process that will formalize aspects of this legislation also requires substantial consultation with industry.

Peters and Portman are also drafting separate legislation that will update the Federal Information Security Modernization Act – including requiring federal agencies and contractors to report when they are hit by cyber-attacks.

“The scourge of cyber-attacks that have disrupted the lives of countless Americans shows we are facing a crisis we are not fully prepared to address. When entities – such as critical infrastructure owners and operators – fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks,” said Senator Peters.