The Cyber Incident Reporting Council recently released a report that outlines steps the federal government should take to streamline its cybersecurity incident reporting regulations.
The CIRC was created in the 2022 Cyber Incident Reporting for Critical Infrastructure Act, which requires critical infrastructure entities to report cyber incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours and ransomware payments within 24 hours.
CISA must publish a notice of proposed rulemaking to implement the reporting requirements within 24 months.
The American Public Power Association responded to a CISA request for information kicking off the implementation process last fall. A NOPR has yet to be released, but CISA has stated that the report will help inform the pending NOPR.
The CIRC report is a comprehensive survey of 52 in-effect or proposed federal cyber incident reporting requirements across critical infrastructure sectors.
A total of 33 federal agencies participated in the CIRC, including the Department of Energy and the Federal Energy Regulatory Commission.
The report identifies the most significant challenges to harmonization as: (1) differences in definitions, timelines, and triggers, content of reports, and reporting mechanisms; (2) procedural and resource burdens; and (3) legal barriers and limited agency authorities.
The report offers recommendations to address these challenges.
Specifically, the report said that the federal government should adopt a model definition of a reportable cyber incident wherever practicable. Federal agencies should evaluate the feasibility of adapting current and future cyber incident reporting requirements to align to a model definition of a reportable cyber incident.
The report also said that the federal government should adopt model cyber incident reporting timelines and triggers wherever practicable and federal agencies should evaluate the feasibility of adapting current and future cyber incident reporting requirements to align model timeline and trigger provisions.
In addition, the report said that agencies with requirements for covered entities to provide notifications to affected individuals or the public should consider whether a delay is warranted when such notification poses a significant risk to critical infrastructure, national security, public safety, or an ongoing law enforcement investigation. A decision to delay the notification to affected individuals or the public would not delay required notification to regulators.
Additional recommendations include:
- The federal government should adopt a model reporting form for cyber incident reports wherever practicable. Agencies should evaluate the feasibility of leveraging the model form of cyber incident reporting or incorporate the data elements identified therein into reporting forms, web portals, or other submission mechanisms.
- The federal government should assess how best to streamline the receipt and sharing of cyber incident reports and cyber incident information, including through improvements to existing reporting mechanisms or the potential creation of a single portal.
- Federal cyber incident reporting requirements should allow for updates and supplemental reports.
- The federal government should adopt common terminology regarding cyber incident reporting wherever practicable. Agencies should evaluate the feasibility of leveraging a common lexicon for initial, supplemental, updates, and final reports.
- The federal government should improve processes for engaging with reporting entities following the initial report of a cyber incident. Agencies should coordinate among themselves, wherever practicable, prior to engaging with a reporting entity to reduce the burden on the reporting entity.
The report also proposes legislative changes needed to address duplicative reporting to inform what additional authorities could be authorized in future congressional action.