The Department of Homeland Security (DHS) has suggested several new ideas on how to simplify federal cyber incident reporting rules for victim organizations, including the concept of a single web reporting portal.
There are currently 52 federal requirements in effect or proposed for reporting cyber incidents. As part of the bill on reporting cyber incidents which was signed into law Last March, the Cybersecurity and Infrastructure Security Agency (CISA) was tasked with reviewing and streamlining the regulations.
The effort is coordinated prior to the release of the CISA report. own rules which will constitute the Cyber Incident Reporting for Critical Infrastructure Act – which CISA officials refer to by its acronym CIRCIA.
On Tuesday, DHS Undersecretary for Policy Robert Silvers delivered a 107 page report to Congress describing its work with 33 federal agencies to harmonize cyber incident reporting. In addition to DHS, the Departments of Treasury, Defense, Justice, Agriculture, and Commerce have been involved in this effort alongside several regulatory agencies such as the Securities and Exchange Commission, the Federal Trade Commission, and the Federal Communications Commission.
“To develop these recommendations, the Cyber Incident Reporting Council analyzed more than 50 different federal cyber incident reporting requirements and collaborated with numerous industry and private sector stakeholders,” Silvers. said. “It is imperative that we streamline these requirements. Federal agencies should be able to receive the information they need without creating a double burden on victim businesses who must focus on incident response and taking care of their customers.
The recommendations say:
- The federal government should clarify definitions, timelines and triggers for a reportable cyber incident so that organizations understand if and when they should report something.
- Agencies requiring covered entities to provide notifications to affected individuals or the public should consider whether a delay is warranted when such notification poses a significant risk to critical infrastructure, national security, public safety, or an ongoing law enforcement investigation. .
- The federal government should adopt a model reporting form for reporting cyber incidents and agencies should evaluate the feasibility of leveraging this form for reporting cyber incidents or incorporating the data elements identified therein into reporting forms , web portals or other submission mechanisms.
- Agencies and the federal government should consider the potential creation of a single portal as a means to streamline the receipt and sharing of cyber incident reports and cyber incident information.
- Federal cyber incident reporting requirements should allow for additional updates and reporting.
Other recommendations include adopting common incident terminology and improving inter-agency coordination.
“In the critical period immediately following a cyberattack, our private sector partners need clear and consistent guidance on information sharing to help us quickly mitigate negative impacts,” said Secretary of Homeland Security, Alejandro Mayorkas.
“The recommendations issued today by DHS provide necessary clarity to our partners. They streamline and harmonize reporting requirements for critical infrastructure, including clearly defining a reportable cyber incident, establishing a reporting schedule and adopting an incident reporting form template.
Mayorkas added that the recommendations can “improve our understanding of the cyber threat landscape, help victims recover from disruptions, and prevent future attacks.”
The report outlines steps CISA plans to take to harmonize all rules and also proposes three tasks for Congress that would facilitate the process – including removing legal or statutory barriers to harmonization and authorizing and funding the efforts .
The report also calls on Congress to exempt incident reports from Freedom of Information Act requests that would make the reports public.
In a statement, CISA Director Jen Easterly reiterated his hope that mandatory incident reporting will help defenders spot trends in real time, quickly provide assistance to victims, and share information to warn other potential targets before they become victims.
“We also recognize that the need for this information must be balanced with the burdens placed on industry, ensuring that requirements are harmonized and streamlined as effectively as possible,” she said.
“As the Cybersecurity and Critical Infrastructure Agency (CISA) implements reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act, these recommendations – along with the numerous stakeholder contributions submitted under our rulemaking process – will help inform our proposed rule. .”
Future saved
Intelligence cloud.
No previous articles
No new articles
Jonathan Greig
Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.