US critical infrastructure cyberattack reporting rules inch closer to reality
March 28, 2024 – Published on The Register
America’s long-awaited cyber attack reporting rules for critical infrastructure operators are inching closer to implementation, after the Feds posted a notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
President Joe Biden signed CIRCIA into law in March 2022, and that set a timer for the US Cybersecurity and Infrastructure Agency (CISA), which had two years to propose a rule.
As proposed, the 447-page rule would require organizations that fall under any of the United States’ 16 critical infrastructure sectors to report “substantial cyber incidents” within 72 hours of discovering them. This essentially includes any digital intrusion that leads to substantial harm, poses a significant threat to the organization’s ability to function, or threatens national security, public health, or safety.
It also would require these organizations to report ransom payments within 24 hours.
The proposal is scheduled to publish in the Federal Register on April 4, and from that time the public will have 60 days to submit written comments before the regulations become law. CISA expects to publish the final rule within 18 months after the public comment period closes.
As the latest comment period opens, one issue that will likely receive some pushback from industry is the added layer of compliance that the cyber security reporting rule will put onto critical infrastructure owners and operators.
“There’s already a huge, huge strain on resources – and not just financial but human resources – to maintain compliance across all critical infrastructures,” Chris Warner, operational technology security strategist at GuidePoint Security, told The Register. “OT security folks don’t grow on trees.”
Read More HERE.