Cybersecurity Agency Seeks Input on Cyber Incident Reporting Requirements

The Cybersecurity and Infrastructure Security Agency issued a request for information, seeking public input on approaches to implement the cyber incident reporting requirements, in accordance with the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCA.

CIRCA has been a pioneering legislative measure for the whole cybersecurity public and everyone interested in protecting that nation’s critical infrastructure. The act allows a better understanding of evident threats and allows earlier detection and efficient, coordinated action. In addition, CIRCA necessitates that the agency create and publish a notice of proposed rulemaking for public input and review, consisting of proposed regulations for cyber incident and ransom payment reporting.

Additionally, the RFI seeks input from the critical infrastructure community and public members, so that the agency can develop and create robust regulated reporting requirements. The agency will be hosting public listening sessions across the U.S. to receive input from the public to update the improvement of the planned regulations.

In particular, the agency is concerned about input on definitions for an interpretation of the terminology to be employed in the proposed regulations, as well as the form, content, and procedures for submission of reports expected under CIRCA. The agency is also welcoming knowledge concerning other incident reporting obligations, as well as policies and practices, such as enforcement procedures and information protection strategies, that will be essential to implement the regulations.

Well-timed cyber incident reporting permits the agency to efficiently employ resources and provide assistance to victims experiencing attacks, detect developing threats and trends, and quickly share threat information with federal partners and network guards to take protective steps and inform other probable victims. Ransomware attacks are identified as one of the most severe economic and national security threats that the U.S. faces.

As it stands, covered cyber incident and ransomware payment reporting under CIRCA will not be required until the final rule implementing CIRCIA’s reporting requirements goes into effect. Despite this, the agency urges critical infrastructure owners and operators to freely share with the security agency information on cyber incidents before the effective date of the final rule.

The RFI, published in the Federal Register on Sept. 12, opens a 60-day comment period for the public to provide their written submissions.