The federal government has released its long-anticipated cyber incident reporting rules to the public for the first time.
When the Critical Infrastructure Cyber Incident Reporting Act of 2022 (CIRCIA) goes into effect, critical infrastructure entities will be able to notify the federal government if they suffer a significant cyber incident or are subject to ransomware extortion. Mandatory.
CIRCIA is intended to “assist in maintaining national security, economic security, and public health and safety,” the Cybersecurity and Infrastructure Security Agency (CISA) said in a statement released Wednesday in the first round of the 447-page proposed rule. stated in the notification.
The goal is to help the federal government better analyze threat trends and identify tactics, techniques, and procedures. CISA would also be able to alert potential victims and assist others more quickly. Additionally, new insights can help software developers create more secure products.
CIRCIA could also pave the way for stronger policy responses. Cybersecurity experts say the United States needs to report more ransomware incidents to better understand the threat and make informed decisions.
This draft has been updated and CISA plans to issue a formal version on April 4th. Interested parties may submit feedback at http://www.regulations.gov within his 60 days. The final rule is expected to be published in 18 months.
Overall, CIRCIA is expected to request reports from 316,244 organizations.
However, this notice identifies the key areas of discussion that emerged as CISA drafted the regulations and CISA's proposed approach and reasoning.
Countries with their own cybersecurity reporting laws are debating how to require prompt disclosure. CIRCIA gives businesses his 72 hours to report a covered cyber incident. An entity also has 24 hours to report a ransomware extortion payment after it has been made, or after a third party has made a ransomware payment on its behalf. The goal is to get information fast enough that CISA can analyze the details and alert other targets in time, but slow enough so as not to impede first response efforts and reporting accuracy. It is to do. Under this proposal, organizations would later submit additional updated information as they learn more about the incident.
There has also been much discussion about how to define the types of entities and incidents covered.
Some stakeholders warned CISA that requiring too many organizations and case types could burden the agency. However, CISA concluded that more information could be processed through improved data management tools and procedures.
Some stakeholders emphasized the creation of a user-friendly reporting process, which CISA aims to do via a web form. CISA also aims to provide safeguards for the information contained in the reports, such as exempting them from public records requests and ensuring that companies are held civilly liable based on the information they report. There is.
CISA also aims to reduce duplication. For example, he proposes a CIRCIA exception for an organization that has already provided a very similar report on a similar timeline to another federal agency.
CISA estimates that implementation of this rule will cost the public and private sectors $2.6 billion between 2023 and 2033. These costs include the technology and personnel required by governments to receive, analyze, and share the reported information, as well as the costs to private companies associated with capturing and complying with the information. along with the requirements.
Still, these are rough estimates made to account for uncertainty, as they avoid large knowledge gaps. For example, CISA does not know details such as the expected number of reports.
