CISA seeks public input on cybersecurity incident reporting rules

The Cybersecurity and Infrastructure Security Agency is seeking public input while developing mandatory incident reporting requirements for critical infrastructure owners and operators – and announcing a cross-country tour of listening sessions to coincide with the rulemaking process.

CISA said it wants to hear from key stakeholders on the proposed regulations featured in the recently-passed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) as part of the rulemaking process. The nation’s cyber defense agency will host 11 listening sessions through mid-November, from New York and California to Utah and Illinois, and will publish a request for information on Monday.

The new legislation features two categories of reporting requirements for critical infrastructure entities: One on covered cyber incidents (CCI) and another on ransom payments. Under CIRCIA, critical infrastructure entities covered in the bill must report CCI within 72 hours, and ransomware payments within 24 hours. CISA said it's particularly interested in receiving feedback from the public "on definitions for and interpretations of the terminology to be used in the proposed regulations, as well as the form, manner, content, and procedures for submission of reports required under CIRCIA." 

The agency also wants to hear from the public on potential enforcement procedures and protection policies to ensure critical infrastructure owners and operators are complying with the new reporting requirements. Rep. Yvette Clarke (D-N.Y.), chairwoman of the Subcommittee on Cybersecurity, Infrastructure Protection and Innovation, told FCW earlier this year that Congress wrestled with what potential enforcement actions should be taken to ensure the timely reporting of cyber incidents impacting critical infrastructure entities.

Lawmakers worked for years to pass mandatory cyber incident reporting requirements before Congress passed CIRCIA in March. The agency says mandatory reporting is critical to allow for the rapid deployment of resources in the wake of a cyberattack targeting a critical infrastructure organization, and to share information with other potential victims in real-time about threat information and solutions.  

“I’m excited to see CISA move forward with implementing this cybersecurity law, which will help us counter the growing threat of cyberattacks against our institutions and allies," said Sen. Mark Warner (D-Va.), a key sponsor of CIRCIA and the chairman of the Senate Select Committee on Intelligence. "This is an important effort to shore up our nation’s information security and I’m glad to see CISA act with the urgency it merits. I encourage stakeholders to participate in this process and look forward to seeing CISA continue to move expeditiously to adopt these vital safeguards.”

CISA said it also plans to announce sector-specific listening sessions at a later date, and that "sole intent of the public listening sessions is to allow the general public to provide input to CISA on aspects of potential approaches to implementing CIRCIA’s regulatory requirements." 

Comments for the forthcoming RFI are due by November 14, 2022.