CISA Seeks Comment on Cyber Incident Reporting Rules
CISA has taken the first step towards implementing a law that will require U.S. critical infrastructure to report cybersecurity incidents to the government.
Organizations responsible for U.S. critical infrastructure will soon have to report cybersecurity incidents they face to the U.S. government.
The country is another step closer to a formalized cyber incident reporting standard – a concept that was introduced when the Senate passed the Strengthening American Cybersecurity Act of 2022 earlier this year - thanks to steps taken by the Cybersecurity and Infrastructure Security Agency (CISA) this week.
Last week CISA announced a series of public listening sessions as well as a Request for Information (RFI) in hopes of developing regulations under the law. Both documents were published in the Federal Register on Monday.
A Request for Information is one way a federal agency can solicit input from the public to help it determine whether to develop a proposed rule and what issues are important to the public. This RFI pertains to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) – the cyber incident reporting component of the Strengthening American Cybersecurity Act.
Under CIRCIA, companies that work in the critical infrastructure sector will have to report a cyber incident within 72 hours of the companies' reasonable belief that a cyber incident has occurred. It will have to report a ransom payment within 24 hours after a payment has been made. CISA has previously taken steps to outline what type of organizations the law will apply to, what should be reported, and how to report an incident.
Some of the terms that CISA is hoping will guide the RFI include defining what a covered entity is, what a ransomware attack and ransomware payment is, what a supply chain compromise is, and so on.
“Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring CISA to develop and implement regulations requiring covered entities to report covered cyber incidents and ransom payments to CISA,” reads the RFI. “These reports will allow CISA, in conjunction with other federal partners, to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends and understand how malicious cyber actors are perpetrating their attacks, and quickly share that information with network defenders to warn other potential victims.”
The listening sessions, which are scheduled between September 21 and November 16, are designed as a way for the public to provide input to CISA on items outlined in the RFI in person. Now that the RFI has been published in the Federal Register, the public will also have 60 days to provide their written submissions.
Seeking public comment is the first in what promises to be a lengthy process for the agency. While both documents are formalities - CISA will have to develop and publish a Notice of Proposed Rulemaking (NPRM), which will be open to public comment, and a Final Rule, too – they’re signs the agency is taking its role in forming the reporting requirements seriously.
“The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a game changer for the whole cybersecurity community and everyone invested in protecting our nation’s critical infrastructure,” CISA Director Jen Easterly said in a statement. “We can’t defend what we don’t know about and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats.”
U.S. Senator Mark Warner (D-VA) who co-sponsored the law and also serves as the Chairman of the Senate Intelligence Committee, applauded CISA's efforts Friday.
“I’m excited to see CISA move forward with implementing this cybersecurity law, which will help us counter the growing threat of cyberattacks against our institutions and allies," Warner said, "This is an important effort to shore up our nation’s information security and I’m glad to see CISA act with the urgency it merits. I encourage stakeholders to participate in this process and look forward to seeing CISA continue to move expeditiously to adopt these vital safeguards.”