In a significant development aimed at strengthening the nation’s cybersecurity resilience, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) introduced a Notice of Proposed Rulemaking (NPRM) on Wednesday, March 27, 2024. This crucial step, now available for public inspection in the Federal Register, marks a substantial advancement in protecting critical infrastructure from cyber threats.
As mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the NPRM ushers in a new era of heightened cybersecurity measures.
Empowering CISA through CIRCIA
With CIRCIA in place, CISA is positioned to utilize data on cyber incidents and ransomware payments reported to the agency to identify real-time patterns, bridge essential information gaps, swiftly deploy resources to entities under cyber attack, and pre-emptively warn potential targets.
The rapid sharing of intelligence on cyber incidents enables the cybersecurity agency to provide timely assistance and prevent similar attacks on other organizations, thereby mitigating the cascading impact of cyber threats on national security.
Homeland Security Secretary Alejandro N. Mayorkas emphasized the importance of CIRCIA in enhancing the country’s cybersecurity posture, stating, “Cyber incident reports submitted to us through CIRCIA will enable us to better protect our nation’s critical infrastructure.”
Mayorkas underscored the collaborative efforts with both public and private stakeholders in shaping the proposed rule, welcoming additional feedback during the public comment period to refine the Final Rule.
“CIRCIA enhances our ability to identify trends, provide assistance to cyber incident victims, and quickly share information with potential victims, promoting cyber risk reduction across critical infrastructure sectors. The proposed rule reflects collaboration with public and private stakeholders, and DHS seeks input during the public comment period on the final rule’s direction and substance,” said Mayorkas.
CISA Director Jen Easterly echoed Mayorkas’s sentiments, praising CIRCIA as a game-changer in the cybersecurity landscape for preempting adversary campaigns, enhancing early threat detection, and facilitating coordinated responses with public and private sector partners.
“It will help us better understand the threats we face, identify adversary campaigns sooner, and take cohesive action with our partners in response to cyber threats. We anticipate additional feedback from the critical infrastructure community as we work towards finalizing the Rule,” Easterly stated.
Stakeholder Engagement and Collaborative Efforts
Since September 2022, CISA has actively sought input from a diverse range of stakeholders, including the critical infrastructure community, in shaping the NPRM. The open comment period provides stakeholders with an opportunity to contribute insights on proposed regulations for cyber incident and ransom payment reporting, among other aspects of the CIRCIA regulatory framework.
By incorporating feedback from the Request for Information (RFI) and listening sessions held over the past year, the cybersecurity agency has tailored the NPRM to align with stakeholders’ needs and priorities.
The implementation of CIRCIA signifies a shift in national cybersecurity strategy, allowing CISA to gain comprehensive insight into evolving cyber threats. By providing early warnings to entities at risk of cyber targeting, CIRCIA lays the foundation for proactive cyber risk reduction efforts, bolstering the resilience of the nation’s critical infrastructure against emerging cyber threats.
As the NPRM progresses towards formal publication in the Federal Register, the public is encouraged to actively participate in the 60-day comment period, offering valuable perspectives to shape the Final Rule.
Through collaborative engagement and collective efforts, CISA aims to strengthen America’s cyber defenses and ensure the resilience of critical infrastructure in the face of evolving cyber threats.
Media Disclaimer: This report is based on internal and external research gathered through various means. The information provided is for reference purposes only, and users are fully responsible for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.