Cybersecurity requirements for defense contractors and cyber incident reporting requirements for critical infrastructure organizations are both nearing critical junctures after years of discussion and development.
The Cybersecurity and Infrastructure Security Agency is “finishing” the notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act of 2022, CISA Director Jen Easterly said during the Billington Cybersecurity Summit in Washington on Wednesday.
“That should be out later this year or early next year,” Easterly said.
Once in effect, the rules will require critical infrastructure entities to report cyber incidents to CISA within 72 hours. It will also require them to report ransomware payments within 24 hours. But first CISA has to go through a complex rulemaking process to define key processes, such as what organizations are required to report cyber incidents and what kind of incidents are covered by the law.
The legislation requires CISA to publish a notice of proposed rulemaking for the incident reporting requirements by March 2024. CISA then has another 18 months to finalize the rules before they go into effect.
CISA published an initial request for information on the requirements last fall, in addition to going on a “listening tour” to get feedback from communities across the nation. Groups have urged CISA to develop a “simple” mechanism for reporting cyber incidents across 16 critical infrastructure sectors.
Lauren Boas Hayes, senior advisor for technology at CISA, encouraged organizations to also comment once the agency gets through its proposed rules.
“When our NPRM comes out, we would love your comments, because that’s really where we’re going to try to lay out some of our thinking and where we’re going,” Hayes said during a panel discussion today at Billington. “And we are committed to reading those comments and taking in that feedback to inform the final rule.”
CISA is “really interested” in the type of incident reporting data that will help the agency understand the specifics of an incident on a critical network, Hayes said, both so CISA can provide assistance to the victim and notify other entities that may be affected by a similar incident.
But over time, Hayes said data will also help CISA uncover deeper cybersecurity trends across critical infrastructure. The law also requires CISA to publish quarterly reports on what the agency is learning through the incident reporting requirements, while keeping victim information anonymous.
“I think ensuring that we get consistent data is so critical to making sure we can do good data analysis,” she said. “And that’s one of the reasons why having sort of a consistent approach through something like an incident reporting form is really valuable to us and making sure we can also train our folks to make sure we’re giving the same level of care in order to entities who report.”
Meanwhile, the “harmonization” of different cyber requirements has become a major issue for government and industry alike. House Republicans earlier this month blasted the Securities and Exchange Commission over the SEC’s proposed cyber rules for public companies. In a letter to the SEC chairman, the lawmakers argue the SEC rules conflict with the incident reporting requirements currently under development at CISA.
Hayes said CISA is seeking to harmonize its incident reporting processes with the reporting requirements of other agencies “to the greatest extent we can.” The CIRCIA law allows CISA to sign interagency agreements to share incident reports. And Hayes said CISA is building its web-based reporting portal to be a “straightforward way” for sharing incident reports.
“For CIRCIA covered incidents, we do intend to make that really a streamlined process,” she said.
The Department of Homeland Security’s Cyber Incident Reporting Council is also developing a report with recommendations for harmonization across incident reporting rules.
“For us, that’s something that we’re absolutely considering, that report, as we think through CIRCIA,” Hayes said.
The Pentagon is also getting closer to making the Cybersecurity Maturity Model Certification requirements a reality. Once implemented, CMMC will allow DoD to require an assessment of a contractor’s compliance with the security controls in the National Institute of Standards and Technology special publication 800-171.
The Defense Department submitted the CMMC rulemaking package to the White House earlier this year. Matthew Travis, the chief executive of the nonprofit Cyber Accreditation Body, said it’s likely the rulemaking will be available for public comment by the end of the calendar year.
“We expect it to come out for public comments November-December timeframe, and then industry will have a chance to respond to that,” Travis said at the Billington summit. “And then DOD will have to adjudicate those comments, and we’ll see, but we’re hopeful that CMMC will actually go live . . . probably in the backend of 2024.”
The Pentagon initiated the CMMC program more than four years ago after officials said it became clear adversaries were targeting the defense industry, while many defense contractors were not meeting contractual cybersecurity requirements for protecting controlled unclassified information (CUI).
But DOD significantly overhauled the initial plan for CMMC in late 2021 after industry complained the requirements would be too onerous for many small and medium-sized businesses.
John Sherman, DOD’s chief information officer, said “there’s been a lot of work to get CMMC right.”
“We think a lot about how this looks from the other side here implementing 800-171 NIST standards, particularly for small and medium businesses,” Sherman said at Billington. “That’s where our heart was going into this, making sure this is implementable. We tried to simplify it a bit not making it overly burdensome. But having cybersecurity for our [defense industrial base] that’s working with CUI is non-negotiable. We’ve got to get this right.”