From Federal News Network:

However, in spite of a scourge of ransomware attacks, including incidents that shut down Colonial Pipeline and a major meatpacking plant, Congress could not come to an agreement on including cyber incident reporting requirements in legislation by the end of the year.

Tatyana Bolton, former cyber policy lead at CISA, said the continued policy of voluntary reporting for critical incidents leaves a major hole in the U.S. approach to cybersecurity. Bolton was also on the staff of the Solarium Commission and directs cyber policy for the R Street Institute.

“The fact that we couldn’t have that very simple provision into law is very unfortunate, and I think we’re going to see over the course of the next year how not having that tool in the toolbox for the federal government is going to be a weakness of our cyber strategy,” Bolton said.

But she and Montgomery expect lawmakers will make another strong to pass reporting requirements in 2022.

Bolton also predicts Inglis and the National Cyber Director’s office will make progress next year on efforts to introduce more resilience into the U.S. cybersecurity approach, taking a wider view of incidents like ransomware attacks and Log4j.

“His efforts on resilience is focusing on the broader picture,” she said. “It’s the forest for the trees.”