DHS says agencies should adopt cyber incident reporting definition, common form

DHS' recommendations come amid a growing patchwork of cyber incident reporting rules and regulations.

With 45 different cyber incident reporting requirements in place across the federal government, and even more on the way, the Department of Homeland Security is recommending the adoption of a standard definition for a “reportable cyber incident” and a common form organizations can use to comply with the different rules.

DHS today released a report on “Harmonization of Cyber Incident Reporting to the Federal Government.” The document, at more than 100 pages long, provides detailed recommendations for streamlining different incident reporting rules.

“It is imperative that we streamline these requirements,” DHS Under Secretary for Policy Rob Silvers, chairman of the council, said in a statement released with the report. “Federal agencies should be able to receive the information they need without creating duplicative burdens on victim companies that need to focus on responding to incidents and taking care of their customers.”

The recommendations were developed in coordination with the Cyber Incident Reporting Council, a body established in 2022 consisting of 33 federal agencies and entities, including the Office of the National Cyber Director, the Federal Bureau of Investigation, the Securities and Exchange Commission, the Federal Trade Commission, and the Federal Communications Commission.

In addition to DHS, the council also includes the Departments of the Treasury, Defense, Justice, Agriculture, Commerce, Health and Human Services, Transportation, and Energy.

The harmonization report was required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022, a landmark law that requires organizations across all 16 critical infrastructure sectors to report cyber incidents to the Cybersecurity and Infrastructure Security Agency.

CISA is currently drafting those regulations. CISA Director Jen Easterly said the recommendations in the harmonization report “will help inform our proposed rule.”

“Reporting cyber incidents is critical to the nation’s cybersecurity: It allows us to spot trends in real-time, rapidly render assistance to victims, and share information to warn other potential targets before they become victims,” Easterly said in a statement. “We also recognize that the need for this information must be balanced with the burdens placed on industry, ensuring that requirements are harmonized and streamlined as effectively as possible.”

The report comes as the Biden administration pushes for more cybersecurity regulation, while some lawmakers are increasingly concerned by a growing patchwork of cyber incident reporting regulations.

The SEC, for instance, drew the ire of House Homeland Security Committee Republicans last month over the agency’s proposed cybersecurity rules that include cyber reporting requirements for public companies. The lawmakers argue the SEC rules conflict with the forthcoming CISA requirements.

In addition to 45 existing incident reporting requirements across 22 federal agencies, the DHS report found an additional seven proposed rules in process, five potential requirements under consideration, and one future requirement with CISA’s forthcoming CIRCIA rule.

The majority of federal requirements relate to national security, economic security, or public safety considerations, while others are focused on privacy or consumer or investor protection.

And each critical infrastructure sector is different, the report notes. While the financial services sector is subject to eight cyber incident rules across, the sector has established “clear parameters and coordinated mechanisms” minimize regulatory overlap and confusion.

Other sectors, meanwhile, have only recently been required to comply with various cyber reporting mandates. And still others, like the water and wastewater sector, are not yet subject to any incident reporting rules.

The DHS report recommends the federal government adopt a model definition of a reportable cyber incident “wherever practical.” The proposed definition in the report includes “commonalities” across the different existing requirements. Agencies “may choose to incorporate some or all the sub-elements based on their authorities and specific mission responsibilities,” the report states.

And DHS additionally proposes a “model reporting form” that would standardize the information agencies require in cyber incident reports.

Michael Daniel, president and chief executive officer of the Cyber Threat Alliance, applauded the effort to advance a common form. Daniel served as cybersecurity coordinator on the National Security Council during the Obama administration.

“It’s important to put the structure down, because it’s very easy to talk about these things in the abstract,” Daniel said. “When you actually start coming up with a reporting form, that really makes it much more concrete. It makes it much more real. And you can really start to tease out where the issues and problems might actually emerge.”

Meanwhile, the DHS report may show the thinking behind the forthcoming incident reporting rules from CISA. For instance, the agency has been working to develop a standard incident reporting form as part of the regulations, while CISA also has to define key terms like a “covered cyber incident” as part of the rules.

“It’s hard to say with the federal regulatory process,” Daniel said. “But I think it would raise a lot of eyebrows if one part of DHS were issuing a report like this, and then the implementing regulation deviated substantially from it.”

The DHS report notes that CISA has been working with other federal agencies to “areas where CISA and its regulatory counterparts might want to align their respective regulations.

“In the coming months, CISA will work to ensure the [notice of proposed rulemaking] reflects the feedback received and outlines an approach for prospective cyber incident and ransom payment reporting requirements,” the report states.

Meanwhile, the DHS report also includes legislative changes to help address duplicative reporting and other potential issues. It suggests Congress “provide authority and funding” to allow agencies to share “common cyber incident data elements,” while carefully considering any privacy, civil liberties and civil rights concerns.

The next step for the incident reporting council, the report notes, is to support agencies in assessing “the feasibility of adopting the various recommendations included in this report, including the adoption of model definitions; timing and trigger provisions; and model reporting form and/or common data elements.”

“Through the CIRC, DHS is prepared to lead a Federal whole-of-government approach to reduce complexity, diminish regulatory overlap, and reduce duplication,” the report states. “This will include continuous work to review and update the Federal cyber incident reporting requirements as the cyber threat environment evolves. DHS will coordinate closely with agencies on the efforts highlighted in this report and keep Congress apprised of their implementation and developments.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories