CISA Seeks Public Input on Cyber Incident Reporting Rulemaking

The Cybersecurity and Infrastructure Security Agency will hold a road show to support the development of regulations that will guide the reporting of cyber incidents and ransomware attacks on critical infrastructure entities. CISA Director Jen Easterly, a 2022 Wash100 winner, said the goal is to “ensure maximum transparency, make sure it’s a consultative process and ensure harmonization.” The agency is required to create regulations under the Cyber Incident Reporting for Critical Infrastructure Act, Federal News Network reported.

CIRCIA was signed into law in March, supporting U.S. efforts to improve the cybersecurity of critical systems. Regulations being developed under the law will require entities to inform CISA about cyber incidents within 72 hours and ransomware attacks within 24 hours. According to the agency, cyber incident reports will help speed up the deployment of resources and assistance to cyberattack victims, identify cybersecurity trends and provide early warning to other potential victims.

Recently, CISA released a request for information for public comments on the proposed rules, which should be finalized in 2024. The RFI is seeking feedback to help identify companies that must report immediately to CISA, the cyber incidents covered by the regulation and data that should be included in a report. Responses will be accepted until Nov. 14.

While the regulations are aimed at combatting attacks, some entities see them as a distraction from conducting an immediate response. Commenting on the concern, Easterly said at a Billington conference that having a collaborative process will ensure that the incident reporting process will not overly burden the private sector.