CISA seeks public input as it moves to develop proposed regulations following CIRCIA directives

CISA seeks public input as it moves to develop proposed regulations following CIRCIA directives

The U.S. Cybersecurity and Infrastructure Agency (CISA) announced Friday that it would issue a Request for Information (RFI) soliciting public input on approaches to implementing the cyber incident reporting requirements. The move to receive feedback from the public comes as CISA develops proposed regulations following the CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022), which was signed into law by the U.S. President Joe Biden in March. 

The CIRCIA mandates that CISA consult with various entities throughout the rulemaking process, including Sector Risk Management Agencies (SRMAs), the Department of Justice, other appropriate federal agencies, and a soon-to-be-formed, DHS-chaired Cyber Incident Reporting Council. It also requires that CISA develop and publish a Notice of Proposed Rulemaking (NPRM), which will be open to public comment, and a Final Rule. 

The RFI will publish in the Federal Register on Monday, Sept. 12. and provide the public with 60 days to provide their written submissions. “Written comments are requested on or before November 14, 2022. Submissions received after that date may not be considered,” according to the notice.

CISA said that owners and operators have two ways to provide input on the rulemaking process – provide written comments in response to the RFI, and participate in one of the listening sessions that CISA will be hosting around the country. These interactions will be held to receive in-person input from the American people to inform the development of the proposed regulations. The agency will be hosting eleven in-person listening sessions – one in each of CISA’s ten regions and an additional one in Washington, D.C.

The Federal Register notice contains a list of topics CISA believes inputs would be instrumental in developing a balanced approach to implementing the regulatory authorities Congress assigned to CISA under CIRCIA. 

The agency encourages public comment on these topics and any other topics commenters believe may be helpful to CISA in developing regulations implementing the CIRCIA authorities. The type of feedback most beneficial to the agency will identify specific approaches the agency may want to consider and provide information supporting why the process would foster a cost-effective and balanced approach to cyber incident and ransom payment reporting requirements. 

The feedback that contains specific information, data, or recommendations is more valuable to CISA than generic feedback that omits these components. For comments that contain any numerical estimates, CISA encourages the commenter to provide any assumptions made in calculating the numerical estimates.

The CISA is particularly interested in input on definitions for and interpretations of the terminology to be used in the proposed regulations, as well as the form, manner, content, and procedures for submission of reports required under CIRCIA. The agency is also interested in information regarding other incident reporting requirements and other policies and procedures, such as enforcement procedures and information protection policies, that will be required to implement the regulations.

The CIRCIA requires CISA to develop and publish an NPRM for public comment and review, containing proposed regulations for cyber incident and ransom payment reporting within 24 months of the enactment of CIRCIA the process for developing these regulations. Accordingly, the RFI solicits input from the critical infrastructure community and other public members, and that input will inform the agency’s development of the proposed regulations. 

The CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring CISA to develop and implement regulations requiring covered entities to report covered cyber incidents and ransom payments to the security agency. These reports will allow CISA, in conjunction with other federal partners, to rapidly deploy resources and assist victims suffering attacks, and analyze incoming reporting across sectors to spot trends. It also works towards understanding how malicious cyber actors are perpetrating their attacks and quickly sharing that information with network defenders to warn other potential victims.

Jen Easterly, CISA director, said in a Friday media statement that the CIRCIA “is a game changer for the whole cybersecurity community and everyone invested in protecting our nation’s critical infrastructure. It will allow us to better understand the threats we are facing, to spot adversary campaigns earlier, and to take more coordinated action with our public and private sector partners in response.”

“We can’t defend what we don’t know about and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats,” Easterly said.  

She added that her agency looks forward to learning from the critical infrastructure community “through our request for information and our coast-to-coast listening sessions – to understand how we can implement the new cyber incident reporting legislation in the most effective way possible to protect the nation’s critical infrastructure.” 

Timely cyber incident reporting allows CISA to rapidly deploy resources and assist victims suffering attacks, identify emerging threats and trends, and share threat information with federal partners and network defenders to take protective action and warn other potential victims. When information about cyber incidents is shared quickly, CISA can use the information to render assistance and provide warnings to prevent other organizations from falling victim to a similar incident. Additionally, the information is also critical to identifying trends that can help efforts to protect the homeland.

The Federal Register notice said that the growing number of cyber incidents, including ransomware attacks, is one of the nation’s most serious economic and national security threats. From the theft of private, financial, or other sensitive data to cyber-attacks that damage computer networks or facilitate the manipulation of operational or other control systems, cyber incidents are capable of causing significant, lasting harm, it added.

The notice also pointed to the many benefits of reporting cyber incidents and ransom payments to the government. “An organization that is a victim of a cyber incident, including those that result in ransom payments, can receive assistance from government agencies that are prepared to investigate the incident, mitigate its consequences, and help prevent future incidents through analysis and sharing of cyber threat information,” it added.

The CISA is interested in receiving public input on potential aspects of the proposed regulation prior to publication of the NPRM and is issuing this RFI as a means to receive that input, according to the Federal Register notice. “While CISA welcomes input on other aspects of CIRCIA’s regulatory requirements, CISA is particularly interested in input on definitions for and interpretations of the terminology to be used in the proposed regulations; the form, manner, content, and procedures for submission of reports required under CIRCIA; information regarding other incident reporting requirements including the requirement to report a description of the vulnerabilities exploited; and other policies and procedures, such as enforcement procedures and information protection policies, that will be required for implementation of the regulations,” it added.

The notice said that owners and operators of entities in critical infrastructure sectors would have beneficial information, data, and perspectives on the different approaches to reporting requirements, given the potential impact these requirements may have on their organizations and industries. “Accordingly, CISA is seeking specific public feedback to inform its proposed regulations to implement CIRCIA’s regulatory requirements. All members of the public, including but not limited to specialists in the field, academic experts, industry, public interest groups, and those with relevant economic expertise, are invited to comment,” it added.

While covered cyber incident and ransomware payment reporting under CIRCIA will not be required until the Final Rule implementing CIRCIA’s reporting requirements goes into effect, CISA encourages critical infrastructure owners and operators to voluntarily share with the security agency information on cyber incidents before the effective date of the final rule. 

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related