The Department of Homeland Security today previewed a set of proposed rules for how critical infrastructure organizations should report cyber incidents to the federal government.
The reporting process will be overseen by the Cybersecurity and Infrastructure Security Agency (CISA), a provision of the Critical Infrastructure Cyber Incident Reporting Act (CIRCIA). The proposed rules will be officially published on April 4; DHS has offered no explanation as to what amounts to an early release.
CIRCIA was signed into law in March 2022 with the goal of improving American cybersecurity by enabling resources to be deployed more quickly and assisting victims in the face of cyberattacks, among other objectives. Under CIRCIA, CISA is required to “promulgate regulations that implement the reporting requirements of cyber incidents and ransom payments covered by the statute for covered entities,” DHS said in its March 27 preview.
Official release of 447 page document opens public comments on the proposed rules: what they should contain and how they should be administered, among other requirements.
Chris Warner, OT security strategist at GuidePoint Security, noted that while there are some challenges with this type of policy, it also has substantial benefits.
“The legislation presents significant potential benefits for private organizations operating in more than 70% of the country critical infrastructures” Warner said in an emailed statement. “Requiring reporting an attack within 72 hours and paying a ransom within 24 hours could help identify these events so they are reported.”