PRIA Logo
Title 6Domestic SecurityRelease 119-73not60

§681g Federal Sharing of Incident Reports

Title 6 › Chapter 1— HOMELAND SECURITY ORGANIZATION › Subchapter XVIII— CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY › Part D— Cyber Incident Reporting › § 681g

Last updated Apr 3, 2026|Official source

Summary

If a federal agency learns about a cyber incident, including a ransomware attack, it must send that report to the DHS agency (including CISA) as soon as possible and no later than 24 hours after getting it. A shorter deadline can apply if DHS (including CISA) and the agency agree to one. The Director will collect and coordinate the reports. These rules do not count as breaking other laws or policies that limit sharing inside the executive branch. If the agency that sent the report has stricter privacy or security rules, the Director must follow those stricter protections. The requirement starts when the related final regulation goes into effect. DHS and the other agencies must make written agreements that set how reports are shared. Those agreements should be public when possible and must make sure reports reach DHS in time to meet the reporting deadlines for incidents and ransom payments set elsewhere in the law. The Secretary of Homeland Security, through the Director and after consulting the Cyber Incident Reporting Council, must regularly review other reporting rules to avoid conflicts, duplication, or extra burden. The Secretary must also work with other federal partners to simplify reporting and, when possible, create agreements between agencies so reports can be shared while still letting DHS get timely information about incidents and ransom payments.

Full Legal Text

Title 6, §681g

Domestic Security — Source: USLM XML via OLRC

(a)(1)Notwithstanding any other provision of law or regulation, any Federal agency, including any independent establishment (as defined in section 104 of title 5), that receives a report from an entity of a cyber incident, including a ransomware attack, shall provide the report to the Agency as soon as possible, but not later than 24 hours after receiving the report, unless a shorter period is required by an agreement made between the Department of Homeland Security (including the Cybersecurity and Infrastructure Security Agency) and the recipient Federal agency. The Director shall share and coordinate each report pursuant to section 681a(b) of this title, as added by section 103 of this division.
(2)The requirements described in paragraph (1) and section 681e(d) of this title, as added by section 103 of this division, may not be construed to be a violation of any provision of law or policy that would otherwise prohibit disclosure or provision of information within the executive branch.
(3)The Director shall comply with any obligations of the recipient Federal agency described in paragraph (1) to protect information, including with respect to privacy, confidentiality, or information security, if those obligations would impose greater protection requirements than this division or the amendments made by this division.
(4)This subsection shall take effect on the effective date of the final rule issued pursuant to section 681b(b) of this title, as added by section 103 of this division.
(5)(A)The Agency and any Federal agency, including any independent establishment (as defined in section 104 of title 5), that receives incident reports from entities, including due to ransomware attacks, shall, as appropriate, enter into a documented agreement to establish policies, processes, procedures, and mechanisms to ensure reports are shared with the Agency pursuant to paragraph (1).
(B)To the maximum extent practicable, each documented agreement required under subparagraph (A) shall be made publicly available.
(C)The documented agreements required by subparagraph (A) shall require reports be shared from Federal agencies with the Agency in such time as to meet the overall timeline for covered entity reporting of covered cyber incidents and ransom payments established in section 681b of this title, as added by section 103 of this division.
(b)The Secretary of Homeland Security, acting through the Director, shall, in consultation with the Cyber Incident Reporting Council described in section 681f of this title, as added by section 103 of this division, to the maximum extent practicable—
(1)periodically review existing regulatory requirements, including the information required in such reports, to report incidents and ensure that any such reporting requirements and procedures avoid conflicting, duplicative, or burdensome requirements; and
(2)coordinate with appropriate Federal partners and regulatory authorities that receive reports relating to incidents to identify opportunities to streamline reporting processes, and where feasible, facilitate interagency agreements between such authorities to permit the sharing of such reports, consistent with applicable law and policy, without impacting the ability of the Agency to gain timely situational awareness of a covered cyber incident or ransom payment.

Legislative History

Notes & Related Subsidiaries

Editorial Notes

References in Text

section 103 of this division, referred to in text, is section 103 of div. Y of Pub. L. 117–103, which enacted this part and amended section 659 of this title. Codification Section was enacted as part of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, and also as part of the Consolidated Appropriations Act, 2022, and not as part of the Homeland Security Act of 2002 which comprises this chapter.

Statutory Notes and Related Subsidiaries

Definitions For definitions of terms used in this section, see section 102 of div. Y of Pub. L. 117–103, which is set out as a note under section 665j of this title.

Reference

Citations & Metadata

Citation

6 U.S.C. § 681g

Title 6Domestic Security

Last Updated

Apr 3, 2026

Release point: 119-73not60