CISA is expected to answer some key questions about the "CIRCIA" cyber incident reporting law in its forthcoming rulemaking.
The Cybersecurity and Infrastructure Security Agency’s new cyber incident reporting rules will require more staff and technology upgrades, the agency revealed in its budget request this week.
CISA is expected to issue the notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) as soon as this week. The law, passed in March 2022, gave the agency two years to develop the proposed rules. After the proposed regulations are published, the agency has another 18 months to gather feedback and finalize the rules.
The agency is requesting $116 million in fiscal 2025 for the CIRCIA program, including 122 full-time equivalent employees. The expansion of staff will help CISA “receive, analyze, and action reports,” according to a budget overview.
CISA also plans to roll out “major technology enhancements,” including an “unclassified ticketing system” for CIRCIA. The agency also wants to integrate a “customer relationship management” tool, to expand its threat intelligence platform and develop an “incident reporting web app.”
Matt Hayden, a former CISA official and vice president of cyber client engagement at General Dynamics Information Technology, noted how the implementation of CIRCIA is a major “maturity test” for CISA. The five-year old agency has grown rapidly in recent years, but it’s never carried out a rulemaking of this magnitude.
“As they move forward, their ability to take on new things, like this authority, is going to be a great mark for them moving forward,” Hayden said. “I think they’re going to be successful, but I think it’s going to be one of those lines drawn on the wall to say, ‘I’ve gotten this tall.’”
CISA’s work with the private sector has primarily been voluntary in nature. But the regulations will require critical infrastructure operators to report cyber incidents to CISA within 72 hours. It gives CISA the authority to subpoena any organizations that don’t comply with the regulations.
The goal of CIRCIA is to provide CISA and other federal agencies with earlier insights into cyber attacks on critical infrastructure entities, like gas pipelines and electric utilities, so officials can help coordinate the response and also warn other organizations that could be affected.
“It gives them that candid battlefield viewpoint to know how they can jump in with resources, with a lot of key vulnerabilities that may rise to the top of the known exploited vulnerabilities list, to really shine a light on things that need attention immediately,” Hayden said.
“This is an opportunity for CISA to do its job with more data and more information,” Hayden added.
In its proposed rules, CISA is expected to reveal key specifics about how exactly the broad incident reporting law will be implemented. Caleb Skeath, a partner at law firm Covington and Burling, said two of the major questions include: who exactly is going to be required to report under the rules, and what type of incidents will need to be reported?
“The law gave some contextual clues as to how those might be fleshed out, but there’s not a firm definition, there’s not a firm sense of how broadly either one might be scoped,” Skeath said.
In a September 2022 request for information, CISA sought feedback on many elements of the cyber incident reporting mandate, including how it should define a “covered entity” that must report incidents under the rules and what should meet the criteria for a “covered incident.”
“It will be interesting to see how CISA describes what a reportable incident is, and how they balance getting that information to allow them to achieve their objectives versus not getting overwhelmed with information if they make that requirement too broad,” Skeath said.
The cyber regulatory landscape has also shifted since Congress passed the incident reporting act two years ago. Notably, the Securities and Exchange Commission last year adopted cyber rules that includes requirements for public companies to file a disclosure within four days of determining it experienced a material cyber incident.
Some lawmakers have criticized the SEC rules for overlapping with CISA’s forthcoming regulations. Still, the SEC requirements took effect late last year.
CISA officials have said they want to “harmonize” various cyber incident reporting requirements to make the rules less burdensome for companies responding to a cyber incident. More details on regulatory overlap could be revealed in the forthcoming rules.
“The importance of trying to harmonize these various requirements and reduce the burden on companies that are subject to them, can be really, really important in terms of how this is operationalized and the resulting potential burden on private sector entities,” Skeath said.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Follow @jdoubledayWFED