The new Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires CISA to create rules regarding cyber incident reporting by critical infrastructure organizations. The RFI and hearings precede a Notice of Proposed Rulemaking (NPRM) that CISA must publish sooner than 24 months from the enactment of CIRCIA, which the President signed into law in March. The sessions and NPRM are steps toward creating the new rule.
CISA is soliciting expert opinion on what to include in a report but is taking steps to implement the change soon. Here’s what that change means for businesses in the US and what you can do about it now.
Overview of the CISA reporting rule
Owners and operators of critical infrastructure must file cyber incident reports with CISA within 72 hours. They must report ransom payments for ransomware attacks within 24 hours. Other businesses can take part voluntarily.
The CISA Director can subpoena organizations in noncompliance to compel them to provide information necessary to determine whether a cyber incident happened. The CISA Director can refer the matter to the Attorney General to bring civil action to enforce the subpoena when necessary.
CISA will share data from cyber incident reports, including defensive measures and anonymized cyber threat indicators, with other organizations. The data will inform businesses to adjust security infrastructure, monitor for specific attack PPTs, and block or remediate attacks.
images from Hacker News