DHS proposes harmonizing cyber incident reporting for critical infrastructure entities to identify trends, prevent attacks
The U.S. Department of Homeland Security (DHS) outlined a series of actionable recommendations on how the federal government can streamline and harmonize the reporting of cyber incidents to protect the nation’s critical infrastructure. Delivered to Congress on Tuesday in a report, these recommendations permit the government to identify trends in malicious cyber incidents and help organizations to prevent, respond to, and recover from attacks. These measures are also mandated by the March 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
These recommendations have been developed in coordination with the Cyber Incident Reporting Council (CIRC), which was established in 2022 and is chaired by DHS Under Secretary for Policy, Robert Silvers, on behalf of the Secretary of Homeland Security. They help to coordinate, deconflict, and harmonize existing and future federal cyber incident reporting requirements.
Key recommendations include establishing model definitions, timelines, and triggers for reportable cyber incidents; creating a model cyber incident reporting form that federal agencies can adopt; and streamlining the reporting and sharing of information about cyber incidents, including the assessment of a potential single reporting web portal. The report also notes that there are situations when incident reporting might be delayed, such as when it would pose a significant risk to critical infrastructure, national security, public safety, or an ongoing law enforcement investigation.
The CIRC includes representation from 33 federal agencies, including the Departments of Homeland Security, Treasury, Defense, Justice, Agriculture, Commerce, Health and Human Services, Transportation, and Energy, the Office of the National Cyber Director (ONCD), the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), and the Federal Communications Commission (FCC).
“The recommendations that DHS is issuing today provide needed clarity for our partners,” Alejandro N. Mayorkas, secretary of Homeland Security, said in a media statement. “They streamline and harmonize reporting requirements for critical infrastructure, including by clearly defining a reportable cyber incident, establishing the timeline for reporting, and adopting a model incident reporting form. These recommendations can improve our understanding of the cyber threat landscape, help victims recover from disruptions, and prevent future attacks.”
Mayorkas added that he looks forward to working with Congress and partners across every level of government and the private sector to implement these recommendations and strengthen the resilience of communities across the country.
“To develop these recommendations, the Cyber Incident Reporting Council analyzed over 50 different federal cyber incident reporting requirements and engaged with numerous industry and private sector stakeholders,” according to Silvers. “It is imperative that we streamline these requirements.”
Silvers added that federal agencies should be able to receive the information they need without creating duplicative burdens on victim companies that need to focus on responding to incidents and taking care of their customers. “We look forward to working with Congress and across the Executive Branch to implement these recommendations.”
“Reporting cyber incidents is critical to the nation’s cybersecurity: It allows us to spot trends in real-time, rapidly render assistance to victims, and share information to warn other potential targets before they become victims,” Jen Easterly, director at CISA (Cybersecurity and Infrastructure Security Agency), said. “We also recognize that the need for this information must be balanced with the burdens placed on industry, ensuring that requirements are harmonized and streamlined as effectively as possible.”
She added that as the CISA “implements reporting requirements as part of the Cyber Incident Reporting for Critical Infrastructure Act, these recommendations – along with the extensive input from stakeholders submitted as part of our rulemaking process – will help inform our proposed rule.”
The March release of the U.S. administration’s National Cybersecurity Strategy called for the establishment of an initiative aimed at harmonizing cybersecurity regulations to bolster national security and public safety. It outlined that the Office of the National Cyber Director (ONCD), in coordination with OMB (Office of Management and Budget), will work with independent and executive branch regulators, including through the Cybersecurity Forum for Independent and Executive Branch Regulators, to identify opportunities to harmonize baseline cybersecurity requirements for critical infrastructure.
It also laid down that through a request for information the ONCD will also engage non-governmental stakeholders to understand existing challenges with regulatory overlap and explore a framework for reciprocity for baseline requirements. The completion date for the task is the first quarter of fiscal year 2024.
Last week, the U.S. Department of Defense (DOD) released an unclassified summary of its classified 2023 Cyber Strategy. This unclassified summary aims to provide an overview of the key priorities within the 2023 DOD Cyber Strategy and should not be viewed as an exhaustive account. It focuses exclusively on matters within the cyber domain and outlines how to address current and future cyber threats, apart from the four complementary lines of effort that the agency will pursue.
Related
