Federal Rules for Cyber Incident Reporting

Details

cisaheader

The CISA Reporting Draft Rules

image1
This past week, CISA (Cybersecurity and Infrastructure Security Agency) published new rules requiring companies to report substantial attacks within 72 hours and ransom payments within 24 hours—the 447-page draft guideline. The Cybersecurity and Infrastructure Security Agency (CISA) recently unveiled a comprehensive draft detailing the enforcement of a new cyber incident reporting program mandated by Congress. This 447-page document marks a significant step forward in the United States' efforts to bolster its cybersecurity infrastructure. It clearly outlines the entities subject to these new regulations and the types of cyberattacks that must be reported.

Cyber Incident Reporting for Critical Infrastructure Act

In 2022, President Joe Biden signed into law a requirement for CISA to implement a mandatory cyber incident reporting program. Under this program, covered organizations must report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours. This move is part of a broader effort to enhance the nation's cybersecurity posture by ensuring that critical information about cyber threats is shared promptly with federal authorities. Over the past two years, CISA has extensively consulted with companies and other stakeholders to define a significant incident and determine which organizations will be obligated to comply with these reporting requirements. According to the draft, any organization that owns or operates critical infrastructure, as defined by CISA, must adhere to these rules. This includes various sectors, such as healthcare, communications, manufacturing, and government services. As proposed in the draft, a significant incident encompasses any event resulting in network downtime or other operational impairments.

What Qualifies as a ‘Substantial’ Cyber Incident?

According to the Wall Street Journal, CISA regards attacks involving unlawful access to systems that result in downtime or significant impairments to operations as the threshold triggering the reporting requirement. For example, a distributed denial of service attack that temporarily stops customers from visiting a company’s public website wouldn’t qualify as substantial, nor would a successful phishing attack that is quickly halted without impact. However, a DDoS attack with significant downtime for critical functions or unauthorized access to a company’s systems through the credentials of a third-party provider would meet the criteria. The agency said it encourages companies to report all cyber incidents, whether or not they meet the regulatory threshold.

What Steps Must a Company Take Comply?

The first step is establishingto establish a process to determine your organization's materiality. Suppose an incident is deemed a “substantial” cyber incident within 72 hours, and ransom payments are made within 24 hours. In that case, this includes mistakes made in configurations, lack of patching, insider threats, and server configurations by third-party service providers if there isn’t severe downtime. Another exception is tests of cyber defenses by outside contractors, such as penetration testers, and conducting tabletop exercises that validate process and reporting communications. CISA does have the option to impose fines and other corrective actions. 

What Qualifies as a ‘Substantial’ Cyber Incident?

According to the Wall Street Journal, CISA regards attacks involving unlawful access to systems that result in downtime or significant impairments to operations as the threshold triggering the reporting requirement. For example, a distributed denial of service attack that temporarily stops customers from visiting a company’s public website wouldn’t qualify as substantial, nor would a successful phishing attack that is quickly halted without impact. However, a DDoS attack with significant downtime for critical functions or unauthorized access to a company’s systems through the credentials of a third-party provider would meet the criteria. The agency said it encourages companies to report all cyber incidents, whether or not they meet the regulatory threshold.

CISA is Seeking Input

However, it's important to note that the draft is still subject to change. CISA is currently collecting public feedback, which could lead to adjustments in the language and provisions of the final regulations. One notable aspect of the proposed program is that reports made to CISA will be kept private. Nevertheless, CISA is exploring ways to make anonymized data available to security researchers, which could provide valuable insights into the nature and scope of cyber threats facing critical infrastructure sectors.

The establishment of this reporting program is driven by a legislative intent to better understand the frequency and impact of cyberattacks on national security and economic stability. Historically, many companies have been reluctant to report cyber incidents to law enforcement due to concerns about potential repercussions. By mandating confidential reporting to CISA, the program aims to encourage more organizations to come forward with information about cyberattacks, enabling a more coordinated and effective response to such threats. CISA estimates that over 316,000 entities will be subject to the new reporting requirements and anticipates receiving more than 210,000 reports in the first decade of the program's implementation. The agency projects that assessing these reports will cost the federal government approximately $1.2 billion over the same period.

A Step Towards Transparency

Looking ahead, CISA is welcoming public comments on the proposed regulations for the next two months. Following this comment period, the agency has a statutory deadline of 18 months to publish a final rule. This initiative represents a critical step towards enhancing the nation's cybersecurity resilience by fostering a culture of transparency and collaboration between the private sector and federal authorities in addressing cyber threats.