CISA goes round to get feedback on cyber incident reporting rules

The Cybersecurity and Infrastructure Security Agency is soliciting feedback on many important questions about the upcoming rule, so we are working on an 11-stop roadshow to develop the groundbreaking cyber incident reporting rule.

CISA Preview Request for today’s materials About the 2022 Critical Infrastructure Cyber ​​Incident Reporting Act. Under the law, which was passed earlier this year, the agency added regulations requiring critical infrastructure entities to report cyber incidents within 72 hours and ransomware attacks to his CISA within 24 hours. is creating

“My goal as Director to lead this process is to ensure maximum transparency, ensure that it is a consultative process, and ensure harmonization,” CISA Director Jen Easterly said Wednesday in Washington. said at the Billington CyberSecurity Summit in Washington, DC, adding that it was led by the Cyber ​​Incident Reporting Council. New rules by the Department of Homeland Security help clear conflicts with existing cyber he incident reporting requirements.

CISA should finalize its regulations by 2024.

agency is Held 11 hearing sessions To get direct feedback from across the country:

• September 21: Salt Lake City
• September 28: Atlanta
• October 5: Chicago
• October 5: Dallas/Fort Worth, TX
• October 12: New York City
• October 13th, Philadelphia
• October 26: Oakland, California
• November 2: Boston
• November 9: Seattle
• November 16: Kansas City, Missouri

In addition, CISA has said it will conduct a listening session in Washington, DC, although no date has been set.

CISA seeks feedback on important definitions

RFI is seeking public comment on a set of definitions that define the scope of incident reporting obligations. For example, we are asking how we should define “covered entities” companies within the critical infrastructure sector that should report cyber incidents. We are also seeking feedback on what constitutes a “covered cyber incident” that should be reported to CISA.

In addition, the content of the report and the submission process, including what types of information must be included in the incident report and what constitutes a “reasonable belief” that a cyber incident has occurred that triggers the 72-hour deadline. We are also looking for feedback.

Some industry groups have criticized the cyber incident reporting rules, saying they could distract companies from responding to cyberattacks with regulatory requirements. RFI states, “What CISA Should Consider When Balancing[ing] The need for situational awareness with the ability of covered entities to conduct cyber incident response and investigations in establishing deadlines and criteria for supplemental reporting. “

RFI is also trying to convince companies of the “many benefits” of reporting cyber incidents and ransom payments to governments.

“Organizations that have been victims of cyber incidents, including those that lead to ransom payments, should seek assistance from government agencies prepared to investigate incidents, mitigate their consequences, and prevent future incidents through cyber threat analysis and sharing.” Information that can help you.” “CISA and our federal law enforcement partners have highly trained investigators who specialize in responding to cyber incidents. We specialize in responding to cyber incidents with the express purpose of providing technical assistance to mitigate vulnerabilities and provide on-site responders to assist in incident recovery.”

Meanwhile, CISA hopes to use such information to thwart future cyberattacks.

“Timely incident reporting also enables CISA to share information on indicators of compromise, tactics, techniques, procedures, and best practices to reduce the risk of cyber incidents spreading within and across sectors. ,” said RFI. “These reports enable CISA to work with other federal partners to rapidly deploy resources to provide assistance to victims of attacks, analyze incoming reports across sectors to identify trends, You can understand how malicious cyber actors are performing their attacks and quickly share that information, working with network defenders to alert other potential victims. “

The Incident Reporting Act allows CISA to issue subpoenas to organizations that fail to comply with its regulations. The rule is one of the most sweeping cyber requirements ever passed into law. start to shift This was primarily a voluntary relationship between the public and private sectors on cybersecurity issues.

But at Wednesday’s Billington conference, Easterly emphasized the joint goals of the incident reporting process.

“It is very important . “CIRCIA is all about assistance. This is not about naming, shaming, blaming, or trampling the injured. We are here to obtain information that can be shared with partners while protecting individuals.”