After more than two dozen listening sessions and an official request for information that resulted in 130 comments, the Cybersecurity and Infrastructure Security Agency (CISA) has created a draft rule for proposed regulations for critical infrastructure entities to report major cyber incident that will be issued as scheduled in March 2024, the agency’s top official said on Thursday.
The final rule is on schedule for release in Sept. 2025, CISA Director Jen Easterly told the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection.
Despite being in draft, the rule has to go through the process, Easterly said.
“Please trust me,” she told the panel. “I’m trying to do everything I can to accelerate that process but we want to get it right because it is so important and so groundbreaking.”
The incident reporting rule is required by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which requires CISA to develop and implement regulations for critical infrastructure entities to report to the agency “covered” cybersecurity incidents and ransomware payments. Easterly said the mandate will give it more clarity than ever into the cyber threat landscape.
CISA maintains that having a greater awareness of cyber threats will enable the agency to better share information with—and help protect—the public and private sectors.
Rep. Andrew Garbarino (R-N.Y.), chairman of the subcommittee, highlighted concerns of the financial industry of separate cyber incident reporting requirements that are being developed by the Securities and Exchange Commission. One financial services official recently told the panel that the banking sector’s cyber workforce is spending 30 to 40 percent of their time on regulatory compliance, he said, adding that a chief information security officer from a “major bank” told him last week that once additional regulations are issued this demand on their time will grow to 50 percent.
Garbarino asked Easterly how CISA and the SEC are working to “harmonize” their respective cyber incident reporting requirements.
Easterly, who worked for the investment bank Morgan Stanley before joining CISA, said she is “sympathetic” to the industry’s concerns. The “good news” is that CIRCIA has a provision to account for duplicative incident reporting through a memorandum of agreement between agencies to prevent companies from having “to report twice and we are working to ensure that that is a streamlined process.”
CISA and the SEC “have spoken” about the issue, “So, I’m sure we’ll end up, I hope we’ll end up in a good place,” Easterly said.