CISA launches incident, ransomware reporting rulemaking RFI

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released its request for information (RFI) on upcoming reporting requirements that will mandate organizations report significant cybersecurity incidents within 72 hours and ransomware payments 24 hours after payments are made. The RFI follows the March passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires CISA to pursue a regulatory rulemaking path for collecting the incident and ransomware payment data.

The RFI is the first step in the rulemaking process. CISA plans not only to collect this data through a rulemaking proceeding but also has begun to consult with various entities on the matter including sector risk management agencies, the Department of Justice (DOJ), other appropriate Federal agencies, and a soon-to-be-formed, Department of Homeland Security (DHS)-chaired Cyber Incident Reporting Council, as also required under CIRCIA. Moreover, CISA has announced it would be hosting 11 in-person listening sessions to inform further how it develops its rules, with one session in each of CISA’s ten regions and another in Washington, DC.

“The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a game changer for the whole cybersecurity community and everyone invested in protecting our nation’s critical infrastructure. It will allow us to better understand the threats we are facing, to spot adversary campaigns earlier, and to take more coordinated action with our public and private sector partners in response,” said CISA Director Jen Easterly in a press release.

Importance of security incident reporting

Experts have long called for mandatory cybersecurity incident reporting to fill a statistics vacuum that has left cybersecurity analysts and government officials with few means to describe the nature and frequency of cybersecurity incidents. The same data void also holds for ransomware payments’ frequency, timing and amounts.

The absence of good data on cybersecurity incidents and ransomware payments makes crafting solutions to minimize these problems challenging. “We can’t defend what we don’t know about and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats,” Easterly said, announcing the RFI.

At least ten other reporting requirements are in play

In congressional testimony leading to the passage of CIRCIA, CISA’s Easterly noted, “Although some reporting requirements exist within certain sectors, there is currently no single mandatory federal requirement to report cyber incidents. Rather, entities must assess the complex disclosure requirements imposed by an array of agencies at the federal and state levels.”

The creation of a federal mandatory incident reporting scheme is taking place against the backdrop of many other cyber incident reporting requirements already imposed by government agencies. The complex disclosure requirements referenced by Easterly encompass at least ten other existing or proposed reporting requirements, including proposed rules by the Securities and Exchange Commission (SEC) for public companies, proposed regulations by the Federal Trade Commission (FTC), and existing rules by the Federal Deposit Insurance Corporation (FDIC), the Federal Reserve and the Office of the Comptroller of the Currency, and the Transportation Safety Administration (TSA), among others.

Information that the CISA RFI seeks

The RFI raises a series of questions and topics for which it seeks feedback, including:

• Definitional parameters, including what constitutes a covered entity under the rules, what constitutes a covered cyber incident, defining “ransom payment,” “ransomware attack,” “supply chain compromise,” and other foundational terms likely to shape the new rules.
• How report contents and submission procedures should be structured, including what constitutes “reasonable belief” that a covered cyber incident has occurred, which would initiate the time for the 72-hour deadline for reporting covered cyber incidents, and when the time for the 24-hour deadline for reporting ransom payments should begin, among other aspects of report submission timelines and requirements.
• Other incident reporting requirements such as those proposed by the SEC, the FTC and other government agencies, including any areas of actual, likely, or potential overlap, duplication, or conflict between those regulations, directives, or policies and CIRCIA’s reporting requirements. CISA also seeks input on how much it costs to compile and report information about a cyber incident under existing reporting requirements or voluntary sharing arrangements.
• Additional policies, procedures, and requirements, including information on any protections for reporting entities.

Initial security incident reports could be inaccurate

Michael Daniel, head of the Cyber Threat Alliance and former special assistant to President Obama and cybersecurity coordinator on the National Security Council Staff, has been working with his organization and a coalition of nonprofit groups to develop a yet-to-be-released white paper that will provide principles and the kinds of data fields CISA should collect as it seeks to implement CIRCIA. He believes CISA is taking the right approach by moving quickly and having a deliberative process that seeks input from the industry.

One of “the key things is also going to be figuring out how we can do this in a way that’s adaptable, and it can change over time,” Daniel tells CSO. “If you’re going to have [a 72-hour reporting requirement] in there, you also have to build in the ability to update those reports. You can’t consider the incident report that comes in 72 hours after an incident the final version of what happened.”

“Because I can tell you based on my experience over the past 15, 20 years of working in this area, the first report about a cyber incident is wrong. It’s just wrong in some way. And not because people are incompetent or because they’re malicious, it’s just wrong because you don’t have all the facts and getting the facts takes time,” he says. “CISA’s going to have to accept the fact, and the government is going to have to accept the fact that reports are going to have to get updated.”

Daniels also underscores the need to harmonize and align all the various cyber incident reporting requirements. However, he concedes that achieving this alignment might be difficult because the various federal government agencies are likely to defend their rules. “Both the executive and legislative branches need to spend some time thinking about how they arrive at a common reporting timeline if it’s the same thing they’re asking to be reported,” he says.

Daniel thinks this harmonization is beyond CISA’s bailiwick and will ultimately require congressional legislation. “It will probably require congressional action to look at that because, for very good reason, many of those agencies are independent regulators, and the White House doesn’t have any ability to control or mandate what they do. So, that’s going have to be at the behest of Congress.”

Written comments on the RFI are due by November 14, 2022. CIRCIA allows 24 months for CISA to publish its initial notice of proposed rulemaking (NPRM), which won’t happen until CISA reviews the responses to the RFI, and an additional eighteen months from the NPRM to issue its final regulations. At the earliest, the reporting requirements won’t likely appear for at least two to three years, although CISA can expedite the process under the legislation.