CISA goes on tour to get feedback on cyber incident reporting rules

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Cybersecurity and Infrastructure Security Agency is taking the development of landmark cyber incident reporting regulations on an 11-stop roadshow, as it seeks feedback on a number of key questions about the forthcoming rules.

CISA previewed a request for information today on the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Under that law, passed earlier this year, the agency is developing regulations that will require critical infrastructure entities to report cyber incidents to CISA within 72 hours and ransomware attacks within 24 hours.

“My goal as the director leading this process is to ensure maximum transparency, make sure it’s a consultative process, and ensure harmonization,” CISA Director Jen Easterly said at the Billington CyberSecurity Summit in Washington on Wednesday, adding that a Cyber Incident Reporting Council led by the Department of Homeland Security will help de-conflict the new rules with existing cyber incident reporting requirements.

CISA has until 2024 to finalize the regulations.

The agency is also holding 11 “listening sessions” to get in-person feedback from around the country:

• Sept. 21: Salt Lake City
• Sept. 28: Atlanta
• Oct. 5: Chicago
• Oct. 5: Dallas/Fort Worth, Texas
• Oct. 12: New York City
• Oct. 13, Philadelphia
• Oct. 26: Oakland, Calif.
• Nov. 2: Boston
• Nov. 9: Seattle
• Nov. 16: Kansas City, Mo.

Additionally, CISA says it will conduct a listening session in Washington, D.C., with the date to be determined.

CISA seeks feedback on key definitions

The RFI is asking for public input on a range of definitions that will define the scope of the incident reporting mandate. For instance, it asks how it should define the “covered entity” companies within critical infrastructure sectors that must report cyber incidents. And it asks for feedback on what should constitute a “covered cyber incident” that must be reported to CISA.

It also seeks feedback on the report content and submissions process, such as what type of information should be included in an incident report, and what constitutes a “reasonable belief” that a cyber incident has occurred, which would trigger the 72-hour deadline.

Some industry organizations have also critiqued cyber incident reporting rules for their potential to distract companies from responding to cyber attacks with regulatory requirements. The RFI targets that issue by asking, “What CISA should consider when ‘balanc[ing] the need for situational awareness with the ability of the covered entity to conduct cyber incident response and investigations’ when establishing deadlines and criteria for supplemental reports.”

The RFI also seeks to convince companies of the “many benefits” of reporting cyber incidents and ransom payments to the government.

“An organization that is a victim of a cyber incident, including those that result in ransom payments, can receive assistance from government agencies that are prepared to investigate the incident, mitigate its consequences, and help prevent future incidents through analysis and sharing of cyber threat information,” it states. “CISA and our federal law enforcement partners have highly trained investigators who specialize in responding to cyber incidents for the express purpose of disrupting threat actors who caused the incident, and providing technical assistance to protect assets, mitigate vulnerabilities, and offer on-scene response personnel to aid in incident recovery.”

CISA, in turn, wants to use such information to thwart future cyber exploits.

“Timely reporting of incidents also allows CISA to share information about indicators of compromise, tactics, techniques, procedures, and best practices to reduce the risk of a cyber incident propagating within and across sectors,” the RFI states. “These reports will allow CISA, in conjunction with other federal partners, to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends and understand how malicious cyber actors are perpetrating their attacks, and quickly share that information with network defenders to warn other potential victims.”

The incident reporting law does allow CISA to issue a subpoena to organizations who don’t comply with the regulations. The rules are among the most far-reaching cyber requirements to have ever been passed into law, and starts to shift what has largely been a voluntary relationship between the public and private sector on cybersecurity issues.

But at Wednesday’s Billington conference, Easterly emphasized the collaborative goals of the incident reporting process.

“It’s hugely important . . . to make sure that we are not overly burdening the private sector, particularly private sector companies under duress if they have been attacked,” she said. “CIRCIA is all about helping. This is not to name, to shame, to blame, or stamp the wounded. We are here to render assistance, and then to get information that we can share with our partners while protecting privacy and protecting the victim.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.