The Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday released proposed regulations requiring covered critical infrastructure owners and operators to disclose cybersecurity and ransomware incidents.
The 447-page notice of proposed rulemaking, which will be formally published in the Federal Register on April 4, kicks off a 60-day period of comment before CISA is required to publish a final rule in 18 months.
The pending regulations are mandated by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which President Biden signed into law on March 15, 2022. Supporters of CIRCIA see the pending law to improve the sharing of information about cyber threats and quickly discover patterns in cyber-attacks and deploy resources in response, which is expected to help stem the spread of cybersecurity incidents that are frequently based on the same or similar attacks, methods, and malware.
The law requires covered entities—CISA estimates there will be 316,244 entities potentially affected by the proposed rule—to report certain cyber incidents within 72 hours of realizing that an incident has occurred. Entitles that make ransomware payments must report these payments to CISA within one day of making a payment.
The pending rule also proposes to give CISA subpoena authority if the agency “believes a covered entity has failed to submit a CIRCIA report in accordance with CIRCIA regulatory requirements,” the proposed rule says.
The proposed rule is being published after CISA has already solicited feedback from stakeholders. The upcoming 60-day comment period will provide another opportunity for public and private sector stakeholders to chime in.
“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” CISA Director Jen Easterly said in a statement. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”