Critical Infrastructure Security , Government , Industry Specific
CISA Seeks Public Input on Cyber Incident Reporting Rules
US Cyber Defense Agency Proposes 72-Hour Reporting Rule for Covered EntitiesThe U.S. Cybersecurity and Infrastructure Security Agency is seeking public feedback on forthcoming regulations that would require covered entities to inform the federal government of certain cyber incidents within 72 hours of detection.
The cyber defense agency on Wednesday posted to the Federal Register a notice of proposed rule-making as part of a yearslong effort to develop cyber incident reporting requirements for critical infrastructure sectors. CISA began spearheading the rule-making efforts after President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
The legislation gives federal agencies 24 hours to share reports of detected cyber incidents to CISA, and it tasks the Department of Homeland Security with establishing an intergovernmental Cyber Incident Reporting Council to coordinate federal incident reporting requirements.
"Cyber incident reports submitted to us through CIRCIA will enable us to better protect our nation's critical infrastructure," Homeland Security Secretary Alejandro Mayorkas said in a statement. He added that the incident reporting requirements allow the department and CISA to better spot trends "and quickly share information with other potential victims."
The proposed rule-making details specific reporting requirements CISA seeks to include in its final regulations for covered entities. The agency wants ransom payment reports from organizations to include information on the identity of the attackers, as well as whether the victim engaged with law enforcement while resolving the ransom payment or underlying attack.
"Such information would be extremely beneficial to effective operations of the Joint Ransomware Task Force established by CIRCIA and help the federal government minimize the potential for uncoordinated law enforcement activities," the proposed rule-making states.
CISA estimates 316,244 organizations could potentially be affected by the proposed rule, resulting in $1.4 billion in costs to the private sector and $1.2 billion in costs to the federal government.
CISA Director Jen Easterly described CIRCIA as a "game changer" in a statement and added: "We look forward to additional feedback from the critical infrastructure community as we move toward developing the final rule."
One outstanding question the proposed rules addresses is which critical infrastructure operators would come under the reporting requirements. DHS says the rule should cover:
- Providers of wire or radio communications services, including telecoms, cable operators and radio and television broadcasters;
- Manufacturers of electrical equipment, machinery or primary metals as well as transportation equipment makers;
- Defense contractors that come into contact with sensitive information;
- Emergency services providers, including law enforcement and fire and rescue;
- Bulk electric and distribution entities;
- Banks or financial services already regulated by federal agencies, including the Federal Reserve, the Federal Deposit Insurance Corp. or the Commodity Futures Trading Commission;
- State, local, tribal and territorial governments;
- Educational agencies that serve a student population greater than 1,000 pupils and institutes of higher education;
- Hospitals, as well as some drug and medical device manufacturers;
- Information technology makers that have "direct or privileged access to network of computing resources," are original equipment manufacturers, perform "a function critical to trust" or control operational technology;
- Railroad, bus, maritime and aircraft operators and cargo-screening facilities;
- Water systems.
The proposed rule seeks to include all entities in critical infrastructure sectors that exceed the Small Business Administration's size standards, which vary across industries and include thresholds between 100 to 1,500 employees. CISA is also tasked under CIRCIA with running a pilot to identify systems that contain vulnerabilities that could lead to ransomware attacks, as well as notifying the owners of those systems about the various risks.
Senior officials for DHS and CISA told reporters during a phone call that both agencies are working to expand their technology infrastructure to support the expected increase in cyber incident reports from covered entities when the rule goes into effect.
"While these are enhancements to our current systems, in many cases we perform functions like this today," one official said, pointing to sector-specific reporting requirements released in recent years. "We have experience doing this."
The proposed rules acknowledge that not all incident reporting requirements in law or regulation currently include the same trigger for "starting the clock" on when cyber incidents become reportable. The agency said it will take into account when various reporting time frames are triggered under governing laws, regulations or contracts.
The public has 60 days after the official publication of the proposed rule-making in the Federal Register to submit comments.
UPDATE: March 27, 2024, 5:15 UTC: This breaking news story has been updated with additional information.