Cyber incident reporting

CISA Tells Critical Infrastructure Managers to Report Cyber Incidents Ahead of Formal Regulations

The Cybersecurity and Infrastructure Security Agency told those managing critical infrastructure what kind of incidents the agency wants to be fully appraised about through a newly-published “quick guide.” The move was spurred by the sense of urgency arising in connection with Russia’s invasion of Ukraine, Nextgov reported Friday.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 gives CISA up to three and a half years to finalize rules that will settle essential questions about the law’s applicability. It has yet to be clarified what kinds of “incidents” and “entities” should be covered by CISA’s 72-hour reporting requirements, or 24-hour requirements in the case of ransomware, according to the report.

In its latest guide, CISA said that it is still in the process of developing the implementing rules and regulations of CIRCIA. In the meantime, the agency continues to encourage stakeholders to voluntarily share information about cyber-related events that could help mitigate current or emerging cybersecurity threats to critical infrastructure.

CISA stressed in its guide that “cybersecurity information sharing is essential to collective defense” and the United States’ overall defense posture.

In March, Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger warned companies that the Russian government could be preparing to launch cyberattacks. She explained that the potential attacks would be in response to U.S. sanctions against Russia over its invasion of Ukraine.

The latest CISA guide tells critical infrastructure owners and operators, as well as federal, state, local, territorial and tribal government partners that they should immediately report unauthorized access to their system, denial of service attacks that last more than 12 hours and malicious code on their systems. Additionally, the agency seeks immediate updates on targeted and repeated scans against systems, repeated attempts to gain unauthorized access to systems, email and mobile messages associated with phishing attempts or successes, and ransomware against critical infrastructure.