CISA seeks public comment on upcoming major cyber incident reporting regulations
The Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued a request for public input on proposed regulations that are expected to shake up how the private sector and public agencies respond to major cyberattacks.
The public will have until Nov. 14 to comment on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which directs CISA to oversee implementation of regulations that require relevant entities to provide the agency with detailed reports about cyber incidents and ransom payments they may face.
CISA Director Jen Easterly said last week that the agency would move forward with seeking industry feedback and implementing CIRCIA. Speaking at the Billington Cybersecurity Summit in Washington, she said: “This will finally allow us a much better understanding what’s going on across the ecosystem … [W]e don’t want to burden industry and we don’t want to burden the federal government with noise either.”
Easterly added that after the request for information is issued, she also intends to host several listening sessions with industry to ensure the rule-making process is “consultative.”
CISA’s request for input comes after President Biden in March signed key legislation requiring critical infrastructure owners and operators to report major cyberattacks to CISA within 72 hours and ransomware attacks within 24 hours.
The enactment of CIRCIA regulations would allow CISA, in conjunction with other federal partners, to more rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and understand how malicious cyber actors are perpetrating their attacks.
In its request for public comment CISA said it is particularly interested in feedback on its definitions of the terminology to be used in the proposed regulations, the manner in which reports will be required to be submitted under CIRCIA, and other incident reporting requirements including the requirement to report a description of the vulnerabilities exploited.