Input needed on cyber incident reporting rules
An agency within the Department of Homeland Security (DHS) issued a Request for Information (RFI) in the Federal Register on September 12, soliciting public input on approaches to implementing new cyber incident reporting requirements, pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), or Public Law 117-103.
The Act requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and publish a proposed rule by March 2024 for cyber incident and ransom payment reporting. Public comments submitted by November 14th will inform the agency’s development of the proposal. A final rule is mandated by September 2025.
In addition to providing the opportunity to submit written comments in response to the RFI, CISA announced a series of public listening sessions across the country from September 21 to November 16, with yet another session to be held in Washington D.C. to be determined. The idea is to receive in-person input to inform the development of the rulemaking. Detailed information about the upcoming listening sessions, including dates, locations, and how to register are available in a separate notice that also appeared in the September 12th Federal Register.
Why is a rule needed?
The growing number of cyber incidents, including ransomware attacks, is one of the most serious economic and national security threats our nation faces, CISA explains. From the theft of private, financial, or other sensitive data, to cyber-attacks that damage computer networks or facilitate the manipulation of operational or other control systems, cyber incidents are capable of causing significant, lasting harm.
CISA adds that timely cyber incident reporting allows the agency to rapidly deploy resources and render assistance to victims suffering attacks, identify emerging threats and trends, and quickly share threat information with federal partners and network defenders to take protective action and warn other potential victims.
What does CISA want to know?
The agency is working to complete the proposed and final rules within the statutorily mandated time frames. As such, CISA is interested in receiving input from the public on the best approaches to implementing various aspects of this new regulatory authority. All members of the public, including but not limited to specialists in the field, academic experts, industry, public interest groups, and those with relevant economic expertise, are invited to comment.
The RFI offers a list of suggested topics (in the form of questions) on which CISA believes inputs would be particularly useful, including:
- 10 questions about definitions, criteria, and the scope of regulatory coverage;
- 12 questions about the contents of the report and submission procedures;
- 8 questions about other incident reporting requirements and the sharing of security vulnerability information; and
- 3 questions about additional policies, procedures, and requirements.
“We can’t defend what we don’t know about, and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats,” argues a CISA spokesperson. “We look forward to continuing to learn from the critical infrastructure community – through our request for information and our coast-to-coast listening sessions – to understand how we can implement the new cyber incident reporting legislation in the most effective way possible to protect the nation’s critical infrastructure.”
Who would be covered by the rule?
The agency has not yet defined the term “covered entity,” and that will be pinned down as part of the proposed and final rulemaking. However, the Act explains that covered entities must be based on the:
- Consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
- Likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
- Extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
Where can you learn more?
Detailed information about the RFI and the listening sessions, as well as a copy of the Act and additional resources, is available on CISA’s website at cisa.gov/CIRCIA.
Key to remember
CISA is soliciting public input by November 14th on approaches to implementing new cyber incident reporting requirements as required by law. A proposed rule is anticipated by March 2024 and a final rule by September 2025.