Cyber Incident Reporting Council Recommends Shorter Timeline for Reporting Cyberattacks

The Department of Homeland Security has released a report from the Cyber Incident Reporting Council recommending that incidents impacting national and economic security and safety be reported within a shorter timeline than the 72-hour deadline under the Cyber Incident Reporting for Critical Infrastructure Act. 

In a report submitted to Congress under CIRCIA, the council also suggested streamlining how agencies engage with cyber incident victims and simplifying cyber incident reporting requirements for critical infrastructure entities. The report noted that such entities currently need to comply with 45 reporting requirements from 22 federal agencies. 

Issues such as what constitutes an incident and when and how it should be reported require simplification, the council stated in the document, adding that the harmonized requirements and submission process for incident reporting can be applied across sectors.

Unified reporting requirements for critical infrastructure will enable better threat understanding and prioritization, FedScoop reported.

The council’s recommendations will be worked into the Cybersecurity and Infrastructure Security Agency’s proposed rule on cyber incident reporting, expected to be introduced by 2024.

CISA Director Jen Easterly, a 2023 Wash100 awardee, said reporting cyber incidents allows identifying cybersecurity trends in real time, providing assistance to victims quickly and sharing threat information to potential targets.