The Cybersecurity and Infrastructure Security Agency (CISA) this week will host the first in a series of public listening sessions designed to provide the agency with input as it develops proposed regulations for critical infrastructures to report major cyber incidents.
The first listening session is scheduled for Sept. 21 in Salt Lake City, Utah, and will be followed by at least nine more around the country in the coming two months, ending with an event on Nov. 16 in Kansas City, Mo. CISA is also planning to host a session in Washington, D.C. but hasn’t finalized a date.
In addition to the listening sessions, CISA this month released a Request for Information (RFI) to receive public input through comments to help the agency craft its proposed critical infrastructure cyber incident reporting requirements that will be published in a Notice of Proposed Rulemaking (NPRM). Responses to the RFI are due by Nov. 12.
“This public input from our critical infrastructure partners will help us understand how we can implement the new cyber incident reporting legislation in the most effective way possible to protect the nation’s critical infrastructure,” CISA says.
The NPRM is due by March 2024, which comes two years after President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
The CIRCIA requires CISA to develop and implement regulations for critical infrastructure entities to report “covered” cyber security incidents and ransomware payments to the agency. CISA maintains that the mandatory reporting requirements are necessary to help it gain greater situational awareness of the threat landscape as incidents occur, which in turn will help it work with the public and private sectors in preventing attacks elsewhere and in responding to ongoing incidents.