The Cybersecurity and Infrastructure Security Agency anticipates receiving a significant volume of reports on hacks, ransomware attacks, and other cyber incidents within the first year of implementing new reporting regulations.
CISA has released a 447-page notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) today. The proposed rules will be officially published in the Federal Register on April 4, with comments due by June 3.
The regulations outline the process by which organizations across critical infrastructure sectors must report cyber incidents to CISA.
According to a senior CISA official, these reports will enable the rapid deployment of resources to assist victims of attacks, analyze incoming reports to identify trends, and share crucial information with network defenders to alert potential targets.
Organizations covered by the rule are not expected to commence reporting cyber incidents to CISA until early 2026, as the finalization of regulations following the comment period will take approximately 18 months, followed by a review period by Congress.
The proposed regulations represent a comprehensive effort by CISA to enhance cybersecurity measures in response to the incident reporting law passed by Congress in March 2022.
CISA’s proposed budget for fiscal 2025 includes $116 million to bolster staffing and technology to effectively manage the influx of cyber incident reports.
The incident reporting law mandates critical infrastructure organizations to report ransomware payments to CISA within 24 hours and report covered cyber incidents within 72 hours.
While some organizations have expressed concerns about potential over-reporting, CISA emphasizes the need for sufficient data collection to fulfill the law’s objectives in detecting trends, identifying vulnerabilities, and issuing timely warnings.
316K organizations mandated to report?
Approximately 316,000 organizations are estimated to fall under the reporting requirements outlined by CISA’s rules.
CISA’s proposed criteria for “covered entities” include organizations within critical infrastructure sectors that exceed small business size standards and entities falling under sector-specific criteria defined by CISA, irrespective of size.
Each critical infrastructure sector, from IT to energy to healthcare, is subject to sector-specific criteria for incident reporting as outlined by CISA.
The definitions put forth by CISA aim to focus reporting requirements on entities owning or operating systems deemed critical infrastructure, alongside a subset of entities that could impact critical infrastructure without direct ownership or operation.
The regulations exclude federal agencies, as they already have distinct reporting requirements to CISA with shorter time frames.
Required reporting for cyber incidents
CISA’s rules outline specific criteria for what qualifies as a “covered cyber incident,” categorizing incidents that result in substantial loss of confidentiality, integrity, or availability, serious impacts on operational systems, disruption of business operations, or unauthorized access facilitated by compromised service providers.
CISA has set a high threshold to prevent over-reporting, focusing on incidents that significantly impact systems or operations.
In the first year of implementation in 2026, CISA expects to receive around 25,500 reports, including covered cyber incidents, ransom payments, joint incident and payment reports, and supplemental reports.
Reporting procedures
CISA plans to introduce a web-based reporting form for organizations to submit cyber incident reports, which will be released alongside the final rule.
The agency emphasizes the need for detailed technical information about incidents to aid in broader cybersecurity defense efforts across the ecosystem.
The law grants CISA the authority to issue subpoenas to non-compliant organizations and refer them to the Attorney General for potential civil actions.
Additionally, the proposed rules outline enforcement measures such as suspension and debarment, as well as invoking the False Claims Act.
Collaborative efforts and harmonization
Congressional members have shown support for CISA’s initiatives while emphasizing the importance of reducing burdensome requirements and promoting harmonization across government reporting frameworks.
DHS’ Cyber Incident Reporting Council has advocated for standardization of definitions and reporting mechanisms across various incident reporting regimes.
CISA intends to work with federal agencies to streamline reporting processes and reduce duplication of efforts through a proposed substantially similar reporting exception under CIRCIA.
Efforts to share information about cyber incidents across federal agencies are crucial for the success of CIRCIA, and CISA is focused on establishing connections for seamless reporting sharing as mandated by the statute.
Copyright
© 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.