CISA Seeks Comment on Cyber Reporting Rules

CISA Director Jen Easterly in 2019 | Clarissa Villondo, CC BY-SA 2.0, via Flickr

Sep 11, 2022

As it moves toward implementing the cybersecurity requirements added to its budget, CISA said it will seek public comment on the best approach for execution.

As it moves toward implementing the cybersecurity requirements added to its budget this year, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said Friday that it will seek public comment on the best approach to their execution.

CISA’s draft request for information — set to be published in the Federal Register on Monday — stems from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), part of the omnibus spending bill passed by Congress and signed by President Biden in March. The bill requires entities “in a critical infrastructure sector, as defined in Presidential Policy Directive 21” — which includes the energy sector — to report relevant cyber incidents to CISA within 72 hours after they occur, as well as when they make a ransom payment to the perpetrators of a ransomware attack. (See Budget Mandates Cyber Reporting for Critical Infrastructure.)

Authority for several key areas within the law is designated to CISA’s director, including defining which incidents are subject to reporting and which additional sectors, if any, are covered by the requirements. CISA must issue a Notice of Proposed Rulemaking within two years regarding the matters left to the director’s discretion, with a final rule to follow after another 18 months that will also specify what content entities must include in their cyber incident and ransom payment reports, as well as the data preservation requirements.

In a statement, CISA said comments received in response to the RFI “will inform the agency’s development of the proposed regulations.” Members of the critical infrastructure community, as well as the public, will have 60 days from the publication of the RFI to submit their feedback.

CISA’s suggested topics for respondents to address include:

definitions, criteria and scope of regulatory coverage, including the meaning of “covered entity”; the number of entities likely to be identified with that label; the meaning of “substantial cyber incident,” “ransom payment” and “ransomware attack”; and the number of ransom payments likely to be made every year;
report contents and submission procedures, such as what information should be required for inclusion in reports, the format of reports and when the deadline for reporting ransom payments begins;
other reporting requirements and vulnerability information sharing; and
additional policies, procedures and requirements.

In addition to written comments, stakeholders may participate in one of 11 public listening sessions, one in D.C. and in each of CISA’s 10 regions. The first listening session will take place Sept. 21 in Salt Lake City, and the last currently on the schedule is planned for Nov. 16 in Kansas City, Mo.; the date of the session in D.C. has not yet been determined.

In the agency’s statement, CISA Director Jen Easterly called the CIRCIA “a game changer for the whole cybersecurity community [that] will allow us to better understand the threats we are facing, to spot adversary campaigns earlier, and to take more coordinated action with our public and private sector partners in response.”

“We can’t defend what we don’t know about, and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats,” Easterly said. “We look forward to continuing to learn from the critical infrastructure community … to understand how we can implement the new cyber incident reporting legislation in the most effective way possible to protect the nation’s critical infrastructure.”

FERC & Federal