Todd Boudreau’s Post

CISA publishes 447-page draft of cyber incident reporting rule. Why it matters: 1. **Enhanced National Security:** The new CISA rule mandates timely reporting of cyber incidents, boosting the government's ability to track and respond to cyberattacks efficiently. This reduces risk across critical infrastructure sectors, bolstering national security and public safety. 2. **Cost and Compliance Concerns:** The rule imposes significant financial burdens on both the private and public sectors, with an estimated enforcement cost of $2.6 billion over 11 years. It also raises questions about the potential strain on small organizations not currently covered under the mandate. 3. **Information Sharing and Response Coordination:** By centralizing incident reporting, CISA aims to facilitate better information sharing among federal agencies and with the private sector. This coordinated approach is expected to lead to more effective responses to cyber threats, though challenges in implementation and potential delays have been noted by experts. Learn more by visiting The Record from Recorded Future News: https://lnkd.in/eq8tiHsP

Cybersecurity and Infrastructure Security Agency (CISA) publishes 447-page draft of cyber incident reporting rule "The Cybersecurity and Infrastructure Security Agency (CISA) posted the 447-page set of regulations under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)to the Federal Register, allowing the public to comment on it." "The reports will be exempt from public disclosure laws and confidentiality is ensured, according to CISA." "CISA estimates the cost of enforcing the rule would be $2.6 billion over the next 11 years — or about $230 million each year — with $1.4 billion in cost to industry and $1.2 billion in cost to the federal government." “CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents, and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors,” Awareness? Secrecy? Transparency? #cybersecurity #Security

CISA asked and industry has spoken. Comments for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) were filled with concerns from industry experts that the proposed rule's 400+ page document was vague and too broad in scope. The Biden administration's most notable cyber regulation to date aims to enhance knowledge sharing among critical industries by mandating the reporting of cyber incidents within 24 hours. Is this a positive step towards beneficial legislation or a case of government overreach? Share your thoughts. #cybersecurity #regulation #criticalinfrastructure #CIRCIA #CISA #cyberincidents #feedback https://lnkd.in/gnGK6DPA

CISA has released its proposed rules implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (447 pages!). While these rules won't be finalized for quite some time, it provides good insight into what is likely to come. These rules will impact a substantial number of organizations (financial institutions, healthcare providers, emergency services, information technology, transportation, etc). Here are my immediate notes: As expected, substantial cyber incidents must be reported within 72 hours after the organization "reasonably believes" that a reportable incident has occurred. This is similar to the recent NCUA 72 hour reporting rule. As expected, notice of a ransom payment must be submitted within 24 hours. CISA can enter into "CIRCIA Agreements" with other federal agencies to reduce the number of required notices. The CISA notifications must include a substantial amount of information - much more than other recent early reporting rules. Supplemental reports must be filed if that information is not available at the time of filing. The organization must preserve a substantial amount of data for two years after the report. This includes any forensic images, logs, network data, threat actor communications, details regarding exfiltrated data. This will impact decisions to delete or return data following conclusion of a forensic investigation. CISA will have the ability to request or subpoena information if they believe an organization did not report it as required. For our litigators, there are prohibitions on using the reports in most litigation. For FOIA, don't forget to designate the submissions appropriately. We will issue a full alert on this soon, so stay tuned. #incidentresponse #cybersecurity

Critical infrastructure organizations want CISA to dial back cyber reporting: Public comments from industry on the cyber agency’s draft proposal call for clearer terms and hard limits on what information can be collected. The post Critical infrastructure organizations want CISA to dial back cyber reporting appeared first on CyberScoop.

447 Pages of a DRAFT of a proposed Cyber Incident Reporting rule (s). Looks like an interesting vacation read. A long vacation. Since I look at most things these days thru the Insider Risk lens, I did a quick search for the word "Insider" in this impressive document. Boom, I found it once on page 23755 where they referred to it not as Insider Threat or Risk, but as Insider Misuse. That was a new one for me. Maybe we should write our friends at U.S. Department of Homeland Security and CISA and ask them to take another look at the identification and reporting of one of the most damaging attack vectors we are all facing right now, those that come from within? #insiderriskmanagement #insiderthreat #insidermisuse #DHS #CISA #redvector https://lnkd.in/eNaFMZeC

Public comments for the latest iteration of the Cybersecurity and Infrastructure Security Agency’s cyber incident reporting mandate for #criticalinfrastructure reveal an industry that wants a scaled-back version of what is arguably the Biden administration’s most significant cyber regulation. (via CyberScoop) #cyberpolicy #cyberregulations #natsec #incidentreporting #nationalsecurity

In March 2022 President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which requires companies operating in #criticalinfrastructure sectors to report covered #cyber incidents within 72 hours of their reasonable belief that a cyber incident has occurred. Additionally, companies must report #ransom payments within 24 hours after making the payment. That law is now inching closer to implementation and according to a CISA official the reporting, "is likely to be far more technical than the kind of broad information that you see in responses to the SEC and the 8K filings that companies are doing under SEC reporting requirements." Great reporting by Jessica Lyons, read more here:

CISA released a 447-page notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) https://lnkd.in/gJwuXgJE   Today, Wednesday March 27, 2024, CISA released a 447-page notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The proposed rules will officially publish in the Federal Register on April 4. Comments on the proposal will be due by June 3. The rules lay out how organizations across critical infrastructure sectors will be required to report cyber incidents to CISA. “These reports will allow us to rapidly deploy resources and render assistance to victims suffering attack, analyzing incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims,”. Organizations covered by the rule likely won’t have to start reporting cyber incidents to CISA until early 2026. That’s because after comments on the proposed rule close, CISA has 18 months to finalize the regulations. Congress will then have 60 days to review the rules before they become effective. The incident reporting law broadly requires critical infrastructure organizations to report ransomware payments to CISA within 24 hours and “covered cyber incidents” to the agency within 72 hours. Although the law narrowly defines “covered cyber incident,” it gives more discretion to CISA to define what “covered entities” must report incidents. The rule create a “sufficiently high threshold to prevent overreporting by making it clear that routine or minor cyber incidents do not need to be reported,” CISA writes in the proposed rules. This proposed rule will have teeth  because it gives CISA the power to issue a subpoena to any organization that doesn’t comply with the rules. CISA’s director can also refer the entity to the Attorney General to bring a civil action against any noncomplying organizations. “The Director will take into account the covered entity’s engagement and cooperation with CISA when determining whether to provide information to the Attorney General or head of a regulatory agency for criminal prosecution or regulatory enforcement, respectively, or to pursue civil enforcement,” the proposed rules state. The rulemaking also proposes bringing suspension and debarment, as well as the False Claims Act, into play to help back up the incident reporting law’s enforcement provisions.

Cyber scoop Critical infrastructure organizations want CISA to dial back cyber reporting: Public comments from industry on the cyber agency’s draft proposal call for clearer terms and hard limits on what information can be collected. The post Critical infrastructure organizations want CISA to dial back cyber reporting appeared first on CyberScoop. Check it out!