CISA proposes cyber incident reporting rules under CIRCIA to strengthen US cybersecurity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a Notice of Proposed Rulemaking (NPRM) for public review, as mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This development signifies a significant advancement in enhancing America’s cybersecurity measures. 

The NPRM is scheduled for formal publication in the Federal Register next Thursday, initiating 60 days for the public to submit written comments that will shape the direction and content of the Final Rule. The CIRCIA authorizes CISA to use various mechanisms to obtain information from a covered entity about a covered cyber incident or ransom payment that was not reported under CISA’s proposed regulatory reporting requirements. 

It identified that CISA examined how other federal departments and agencies that regulate cyber incident reporting define similar terminology for their reporting regimes, reviewed the Model Definition for a Reportable Cyber Incident proposed by the Secretary of Homeland Security in the CIRC-informed DHS Report to Congress, and considered the many comments received on this topic from stakeholders both at CIRCIA listening sessions and in written comments submitted in response to the CIRCIA RFI. 

The agency detailed that the implementation of CIRCIA will improve CISA’s ability to use cybersecurity incident and ransomware payment information reported to the agency to identify patterns in real-time, fill critical information gaps, rapidly deploy resources to help entities that are suffering from cyber attacks and inform others who would be potentially affected. 

When information about cyber incidents is shared quickly, CISA can use this information to render assistance and provide warnings to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.

“Cyber incident reports submitted to us through CIRCIA will enable us to better protect our nation’s critical infrastructure,” Alejandro N. Mayorkas, Secretary of Homeland Security, said in a media statement. “CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents, and quickly share information with other potential victims, driving cyber risk reduction across critical infrastructure sectors. 

He added that the proposed rule is the result of collaboration with public and private stakeholders, and DHS welcomes feedback during the public comment period on the direction and substance of the final rule.

“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” Jen Easterly, CISA director, noted. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats. We look forward to additional feedback from the critical infrastructure community as we move towards developing the Final Rule.”

The NPRM is divided into six sections covering the public participation process for members of the public to submit comments on the proposed regulations and lists specific topics on which CISA is particularly interested in receiving public comment. It includes an executive summary of the proposed regulatory action and the anticipated costs and benefits of the proposed regulations. 

The notice also details the background and purpose with a summary of the legal authority for this proposed regulatory action; an overview of the current regulatory cyber incident reporting landscape; a description of the purpose of the proposed regulations; a discussion of efforts CISA has taken to harmonize these proposed regulations with other Federal cyber incident reporting regulations; a discussion of information sharing activities related to the proposed regulations; and a summary of the comments CISA received in response to an RFI issued by CISA on approaches to the proposed regulations and during listening sessions hosted by CISA on the same topic. 

The proposed rule also includes a detailed discussion of the proposed rule, the justification for CISA’s specific proposals, and the alternatives considered by CISA. It also includes statutory and regulatory analyses that CISA is required by statute or Executive Order (EO) to perform as part of the rulemaking process before issuance of the final rule, such as the Initial Regulatory Flexibility Analysis and Unfunded Mandates Reform Act analysis. Lastly, it contains the proposed regulatory text.

The CISA estimates the cost of this proposed rule would be US$2.6 billion throughout analysis (undiscounted), with 316,244 entities potentially affected by the proposed rule who collectively will submit an estimated total of 210,525 CIRCIA reports throughout analysis, resulting in $1.4 billion (undiscounted) in cost to industry and $1.2 billion (undiscounted) in cost to the federal government. 

The cost for analysis discounted at 2 percent would be $2.4 billion ($1.3 billion for industry, $1.1 billion for government), with an annualized cost of $244.6 million, as presented in the Preliminary Regulatory Impact Analysis (RIA) included in the docket.

The proposed rule said that the main industry cost drivers are the initial costs associated with becoming familiar with the proposed rule, followed by the recurring data and records preservation requirements, and then reporting requirements. 

Other industry costs include those associated with help desk calls and enforcement actions. Government costs include costs CISA anticipates incurring associated with the creation, implementation, and operation of the government infrastructure needed to run the CIRCIA program. This includes both personnel and technology costs necessary to support the receipt, analysis, and sharing of information from CIRCIA reports submitted to CISA.

“We commend CISA for its work in issuing the NPRM for the Cyber Incident Reporting for Critical Infrastructure Act and for its efforts to engage stakeholders early on in the process,” Rep. Bennie G. Thompson (D-MS), Ranking Member of the Committee on Homeland Security, and Rep. Yvette D. Clarke (D-NY) said in a Wednesday statement. “Establishing a mandatory cyber incident reporting framework is an enormous undertaking. As we in Congress review and weigh-in on the NPRM, our goal will be to ensure that CISA will have access to the information necessary to disrupt malicious cyber campaigns earlier and identify new tactics of bad actors so the government and the private sector can drive down risk.” 

At the same time, they added “we want to reduce compliance costs so more resources can be invested in security. Toward that end, now that the NPRM is out, we hope the Cyber Incident Reporting Council will redouble its efforts to promote harmonization of duplicative cyber incident reporting frameworks across government.”

Last October, the CISA announced the next steps for ongoing engagement with industry and government to update the National Cyber Incident Response Plan (NCIRP). The NCIRP 2024 will address changes by incorporating lessons learned and feedback from stakeholders since the 2016 release, ensuring that the updated NCIRP is fully inclusive across non-federal stakeholders, and establishing a foundation for continued improvement of the nation’s response to significant cyber incidents.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.