CISA Proposes Federal Rules for Cyber Incident Reporting

Photo by Markus Spiske on Unsplash

This article is taken from the March 29, 2024 NGFA Newsletter.

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) on March 27 published a proposed rule to require critical infrastructure companies to report significant cyberattacks within 72 hours and ransom payments within 24 hours.

All critical infrastructure entities — including the food and agriculture sector — are covered by the proposal, other than those that are considered small businesses. The 447-page proposal offers varying sets of criteria for whether the different critical infrastructure sectors will be required to report incidents.

CISA’s proposal references several comments submitted by NGFA in 2022. NGFA’s recommendations included excluding small companies from the definition of those that need to report incidents.

CISA estimates that the proposed rules’ costs will total $2.6 billion over 11 years. Roughly 316,000 entities are potentially impacted, the agency said, and it expects to receive more than 25,000 reports per year starting in 2026.

“When information about cyber incidents is shared quickly, CISA can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident,” CISA noted in a news release. “This information is also critical to identifying trends that can help efforts to protect the homeland.”

The agency developed the rules after President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law in March 2022. Once it is published in the Federal Register on April 4, CISA will accept public comments on the proposal for 60 days.