CISA releases draft rule for cyber incident reporting

March 27, 2024 – Published on CyberScoop

In one of the biggest cybersecurity policy reforms in recent memory, the Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday released its much-anticipated notice of proposed rulemaking to require critical infrastructure organizations to report cybersecurity incidents, a move intended to provide the federal government with better insight about breaches that affect highly sensitive entities, such as water and power utilities. 

Wednesday’s notice of proposed rulemaking (NOPR) represents the next step in a process that began after the Cyber Incident Reporting for Critical Infrastructure Act was signed into law in March 2022. That law was inspired in part by the SolarWinds hack, which made clear the lack of information available to the federal government about breaches affecting critical infrastructure entities. It also represents one of the first steps by CISA to take on a more regulatory role that the agency has tried to avoid.

Under the rules, companies will have to report incidents less than 72 hours “after the covered entity reasonably believes the covered cyber incident has occurred” and ransomware payments within 24 hours of being made, unless payment is accompanied by an incident, in which case the organization has 72 hours.

However, some experts pointed out that entities may not have the financial resources to implement the requirements. For example, the rules require community water systems and water treatment services that serve more than 3,300 people to report incidents, and experts question whether these entities can implement proper security measures — let alone spot and report breaches. 

Chris Warner, an operational technology security strategist at GuidePoint Security, noted that most organizations don’t have an OT security program, and that municipalities can have as low as 3 or 4 people running the security for the whole water utility.

Read More HERE.