DHS CISA Kicks off Work to Regulate Critical Infrastructure Incident Reporting
Privacy In Focus®
Congress has directed the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to create broad new rules for mandatory cyber incident reporting to be imposed on critical infrastructure, in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The private sector, which already faces a patchwork of incident reporting mandates, along with means of voluntary notifications to federal authorities, is keenly interested in how these broad new rules will take shape.
Given the massive regulatory task facing CISA, it has published a Request for Information (RFI) in the Federal Register on Monday, September 12 that provides the public with 60 days to provide written submissions.
CISA candidly acknowledges that its task under CIRCIA is broad, and focuses in this RFI on the following areas where it needs input:
- Definitions for and interpretations of the terminology to be used in the proposed regulations;
- The form, manner, content, and procedures for submission of reports required under CIRCIA;
- Information regarding other incident reporting requirements including the requirement to report a description of the vulnerabilities exploited; and
- Other policies and procedures, such as enforcement procedures and information protection policies, that will be required for implementation of the regulations.
CISA does not focus in this RFI on harmonization of its regulations with the myriad other reporting regimes that apply to critical infrastructure sectors and companies. Nor does CISA address the many ongoing cyber regulatory proceedings that appear poised to create further duplication and overlap, such as the pending disclosure mandates proposed by the U.S. Securities and Exchange Commission.
This RFI is a big first step toward the rules that CISA is mandated to release within 24 months of CIRCIA’s enactment. We urge regulated entities across the 16 critical infrastructure sectors to carefully consider whether and how to participate at this stage.
One area of focus could be on logistics of reporting. There are many reporting forms and online portals, used by DHS, the FBI, and others. It may be helpful for CISA to hear what has worked and what can be improved, as it considers next steps in building out incident reporting tools and mandates. Complexities associated with incident reporting were discussed with Tatyana Bolton, Policy Director, Cybersecurity and Threats at the R Street Institute, and former Solarium Commission staff on a recent WileyConnected podcast: Mandatory Cyber Incident Reporting: Pros, Cons, and Next Steps.
Comments are to be filed through regulations.gov, referencing CISA-2022-0010.
© 2022 Wiley Rein LLP