PRIA Logo
Take the PRIA Score
Title 6Domestic SecurityRelease 119-73

§681d Noncompliance with required reporting

Title 6 › Chapter CHAPTER 1— - HOMELAND SECURITY ORGANIZATION › Subchapter SUBCHAPTER XVIII— - CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY › Part Part D— - Cyber Incident Reporting › § 681d

Last updated Apr 6, 2026|Official source

Summary

If an organization that must report a cyberattack or ransom payment does not file the required report, the Director can first ask that organization directly for details. If the organization does not respond or gives an inadequate reply within 72 hours, the Director can issue a subpoena to force the organization to provide information needed to decide if a covered cyber incident or ransom payment happened and to check effects on national security, economic security, or public health and safety. If the organization still ignores the subpoena, the Director can ask the Attorney General to go to federal court to enforce it, and a court may hold the organization in contempt. Electronic subpoenas must have a secure digital signature. The Director cannot delegate the power to issue these subpoenas. This does not apply to State, local, Tribal, or territorial government entities. The Director may share subpoenaed information with the Attorney General or the right federal regulator if it might lead to enforcement or criminal charges, and may consult them first. The Director must consider how hard it is to tell if an incident happened and whether the organization knew the agency’s reporting rules. Each year the Director must report to Congress how often they requested information, issued subpoenas, or referred matters to the Attorney General, post a version online with counts of requests and subpoenas, and remove or anonymize any victim details before publishing.

Full Legal Text

Title 6, §681d

Domestic Security — Source: USLM XML via OLRC

(a)In the event that a covered entity that is required to submit a report under section 681b(a) of this title fails to comply with the requirement to report, the Director may obtain information about the cyber incident or ransom payment by engaging the covered entity directly to request information about the cyber incident or ransom payment, and if the Director is unable to obtain information through such engagement, by issuing a subpoena to the covered entity, pursuant to subsection (c), to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred.
(b)(1)If the Director has reason to believe, whether through public reporting or other information in the possession of the Federal Government, including through analysis performed pursuant to paragraph (1) or (2) of section 681a(a) of this title, that a covered entity has experienced a covered cyber incident or made a ransom payment but failed to report such cyber incident or payment to the Agency in accordance with section 681b(a) of this title, the Director may request additional information from the covered entity to confirm whether or not a covered cyber incident or ransom payment has occurred.
(2)Information provided to the Agency in response to a request under paragraph (1) shall be treated as if it was submitted through the reporting procedures established in section 681b of this title 11 So in original. Probably should be followed by a comma. including that section 681e of this title shall apply to such information in the same manner and to the same extent to information submitted in response to requests under paragraph (1) as it applies to information submitted under section 681b of this title.
(c)(1)If, after the date that is 72 hours from the date on which the Director made the request for information in subsection (b), the Director has received no response from the covered entity from which such information was requested, or received an inadequate response, the Director may issue to such covered entity a subpoena to compel disclosure of information the Director deems necessary to determine whether a covered cyber incident or ransom payment has occurred and obtain the information required to be reported pursuant to section 681b of this title and any implementing regulations, and assess potential impacts to national security, economic security, or public health and safety.
(2)(A)If a covered entity fails to comply with a subpoena, the Director may refer the matter to the Attorney General to bring a civil action in a district court of the United States to enforce such subpoena.
(B)An action under this paragraph may be brought in the judicial district in which the covered entity against which the action is brought resides, is found, or does business.
(C)A court may punish a failure to comply with a subpoena issued under this subsection as contempt of court.
(3)The authority of the Director to issue a subpoena under this subsection may not be delegated.
(4)(A)Any subpoena issued electronically pursuant to this subsection shall be authenticated with a cryptographic digital signature of an authorized representative of the Agency, or other comparable successor technology, that allows the Agency to demonstrate that such subpoena was issued by the Agency and has not been altered or modified since such issuance.
(B)Any subpoena issued electronically pursuant to this subsection that is not authenticated in accordance with subparagraph (A) shall not be considered to be valid by the recipient of such subpoena.
(d)(1)Notwithstanding section 681e(a)(5) of this title and paragraph (b)(2) of this section, if the Director determines, based on the information provided in response to a subpoena issued pursuant to subsection (c), that the facts relating to the cyber incident or ransom payment at issue may constitute grounds for a regulatory enforcement action or criminal prosecution, the Director may provide such information to the Attorney General or the head of the appropriate Federal regulatory agency, who may use such information for a regulatory enforcement action or criminal prosecution.
(2)The Director may consult with the Attorney General or the head of the appropriate Federal regulatory agency when making the determination under paragraph (1).
(e)When determining whether to exercise the authorities provided under this section, the Director shall take into consideration—
(1)the complexity in determining if a covered cyber incident has occurred; and
(2)prior interaction with the Agency or awareness of the covered entity of the policies and procedures of the Agency for reporting covered cyber incidents and ransom payments.
(f)This section shall not apply to a State, local, Tribal, or territorial government entity.
(g)The Director shall submit to Congress an annual report on the number of times the Director—
(1)issued an initial request for information pursuant to subsection (b);
(2)issued a subpoena pursuant to subsection (c); or
(3)referred a matter to the Attorney General for a civil action pursuant to subsection (c)(2).
(h)The Director shall publish a version of the annual report required under subsection (g) on the website of the Agency, which shall include, at a minimum, the number of times the Director—
(1)issued an initial request for information pursuant to subsection (b); or
(2)issued a subpoena pursuant to subsection (c).
(i)The Director shall ensure any victim information contained in a report required to be published under subsection (h) be anonymized before the report is published.

Legislative History

Notes & Related Subsidiaries

Editorial Notes

Amendments

2022—Subsec. (b)(2). Pub. L. 117–263 inserted “including that section 681e of this title shall apply to such information in the same manner and to the same extent to information submitted in response to requests under paragraph (1) as it applies to information submitted under section 681b of this title” after “section 681b of this title”.

Reference

Citations & Metadata

Citation

6 U.S.C. § 681d

Title 6Domestic Security

Last Updated

Apr 6, 2026

Release point: 119-73