The Cybersecurity and Infrastructure Security Agency (CISA) published a new request for information (RFI) today looking for feedback on how to best implement cyber incident reporting requirements for critical infrastructure owners and operators.
CISA is tasked with developing the incident reporting rulemaking, as required by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) approved by Congress earlier this year as part of full-year fiscal year 2022 spending legislation.
“The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a game changer for the whole cybersecurity community and everyone invested in protecting our nation’s critical infrastructure,” CISA Director Jen Easterly said in a statement. “We can’t defend what we don’t know about and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats.”
Under CIRCIA, critical infrastructure owners and operators are obligated to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments they made to attackers within 24 hours.
Before any of that happens, though, CISA has to work through a rulemaking process that could take up to two years to complete.
CISA said in its RFI that it’s particularly interested in “input on definitions for and interpretations of the terminology to be used in the proposed regulations, as well as the form, manner, content, and procedures for submission of reports required under CIRCIA.”
Along with the RFI, CISA will also hold 11 listening sessions across the country to gain additional feedback.
At the Billington Cybersecurity Summit last week, Easterly said her goal for the CIRCIA process is “to ensure maximum transparency, make sure it’s a consultative process, and ensure harmonization.”
“It’s hugely important… to make sure that we are not overly burdening the private sector,” she added.
The new RFI is just the first step in implementing the cyber incident reporting legislation.
CISA Executive Director Brandon Wales said earlier this year that completion of a rulemaking could be a couple of years away. The agency has two years to publish a draft rulemaking, and then 18 months after that to put forth a final rule.
“Obviously, we are going to try to move sooner than that,” Wales said in June. “We will be working aggressively on that for the next couple of years.”
Comments on the RFI are due by November 14, 2022.