FBI wants in on cyber reporting legislation


The FBI is looking to make sure it has a place in incident disclosure legislation currently being considered by Congress. A Senate bill that is expected to be attached to must-pass defense legislation puts the Cybersecurity and Infrastructure Security Agency (CISA) front and center when it comes to reporting requirements.

Bryan Vorndran, assistant director of the FBI's Cyber Division, told the House Committee on Oversight and Reform "the FBI won't be able to fully support" federal cyber initiatives unless companies are simultaneously required to report incidents to the bureau, in addition to CISA.

"I know there are several cyber reporting bills currently being considered, and I can't stress enough the importance of the FBI receiving full and immediate access to cyber incidents so we can act on them as soon as possible and in unison with our federal partners at CISA," Vorndran said on Tuesday. "The faster we get this information, the faster we can deploy a local cyber threat expert to a victim's door, track, freeze and seize funds taken and ultimately hold cyber criminals accountable."

Sens. Mark Warner (D-Va.), Susan Collins (R-Maine), Gary Peters (D-Mich.) and Rob Portman (R-Ohio) are planning to propose an amendment to the 2022 National Defense Authorization Act that would require infrastructure providers, federal contractors and other key private sector entities to report cyberattacks within 72 hours of discovery to CISA. The measure also provides for the disclosure of ransomware payments by private and public entities to attackers within 24 hours.

CISA Director Jen Easterly previously told a Senate Homeland Security Committee in September the reporting requirements would allow her agency to quickly "conduct urgent analysis and share information to protect other potential victims."

While Vorndran said his division was in "constant communication" with CISA and the office of the National Cyber Director, Chris Inglis, who also testified on Tuesday, he said the bureau could face hurdles immediately addressing cyber threats unless it was included in the requirements.

Vorndran, who serves at the FBI's nearly 20-year-old cyber division, called on the oversight committee "to make sure legislation explicitly empowers the agencies at the front lines of incident response."

"Cyber is the team sport, and the Department of Justice and the FBI are key players," he added. "It is time for legislation to reflect this reality."

About the Author

Chris Riotta is a staff writer at FCW covering government procurement and technology policy. Chris joined FCW after covering U.S. politics for three years at The Independent. He earned his master's degree from the Columbia University Graduate School of Journalism, where he served as 2021 class president.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?