CISA Issued RFI on Cybersecurity Reporting Requirements
On September 9, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information[1] (RFI) from critical infrastructure owners and operators on “approaches to implementing the cyber incident reporting requirements, pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which President Biden signed into law in March 2022.”
Under CIRCA, CISA is required to “develop and publish a Notice of Proposed Rulemaking (NPRM) for public comment and review, containing proposed regulations for cyber incident and ransom payment reporting.”
Specifically, CISA has provided the following non-exhaustive list of topics that they are requesting public input on:
The definition of “covered entity” (consistent with section 2240(5) of the Homeland Security Act of 2002 (“HAS Act”)) and the number of entities likely to be included under this definition;
The definition of “covered cyber incident” (consistent with HAS Act section 2240(4)), the similarities that this defined term should share with other cyber incidents which currently must be reported under other federal regulatory programs, and the expected number of incidents likely to occur annually or industry/sector-wide;
The definition of “substantial cyber incident”;
The definition of “ransom payment” and “ransomware attack” (consistent with HAS Act section 2240(13), (14)), and the expected number of payments likely to occur annually;
The definition of “supply chain compromise” (consistent with HAS Act Section 2240(17));
“The criteria for determining if an entity is a multi-stakeholder organization that develops, implements, and enforces policies concerning the Domain Name System” (as described in HAS Act section 2242(a)(5)(C)); and
“Any other terms for which a definition, or clarification of the definition for the term contained in CIRCIA, would improve the regulations and proposed definitions for those terms, consistent with any definitions provided for those terms in CIRCIA.”
According to CISA Director Jen Easterly, “[t]he Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a game changer for the whole cybersecurity community and everyone invested in protecting our nation’s critical infrastructure.” As such, Easterly is committed to creating the most effective regulation as “[w]e can’t defend what we don’t know about and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats.”
Written comments must be received on or before November 14, 2022.