As the Cybersecurity and Infrastructure Security Agency (CISA) begins to craft a proposed rule to require certain critical infrastructure entities to report ransomware attacks and cybersecurity incidents to the government, the agency shortly plans to ask for feedback on the “full gamut” of incident reporting, a senior CISA official said on Monday.
The request for information (RFI) will be “open ended” and include some questions for the public and private sectors touching on what incidents should be covered, how information should be provided, and what are the covered entities that will be affected, Brandon Wales, executive director of CISA said during a webinar hosted by the NTCA, the Rural Broadband Association.
President Joe Biden in March signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which requires certain critical infrastructure entities to report cyber attacks to CISA within 72 hours and ransomware payments within 24 hours. The incident reporting will give CISA and other key federal entities such as the FBI greater awareness of cyber-attacks hitting critical infrastructures, speeding the implementation of defensive and remedial measures nationwide.
The new law also gives CISA two years to issue a proposed rule. First, the agency plans to issue a proposed rulemaking, which will be another avenue for the public to provide comment before the final rule is published.
Wales, the top career official at CISA, also said that this fall the agency will host listening sessions around the U.S. to obtain additional feedback from the private sector on the forthcoming proposed rule.
The Notice of Proposed Rulemaking will also be a formal opportunity for input on how to best go about incident reporting, he said.
“So, there’s going to be multiple opportunities,” Wales said. “We want to hear from industry, understand their perspective, because obviously this is going to affect them and they have the expertise in terms of what the reporting looks like for them and the potential burden.”
Wales also pointed out that the new law doesn’t require entities to report an incident to CISA if the information is similar or the same that has already been provided to another agency under existing regulatory requirements. That means CISA and other federal agencies have to ensure that information shared by critical infrastructures finds its way to CISA, he said.