The Department of Homeland Security (DHS) is seeking to streamline the dozens of federal reporting requirements for critical infrastructure entities experiencing cyber incidents.
Currently, a total of 22 different federal agencies have 45 active reporting requirements, and 7 more are expected—which DHS Under Secretary for Strategy, Policy, and Plans Robert Silvers told Bloomberg means that “everybody is desperate for some harmonization and standardization here.”
Silvers chairs the inter-agency Cybersecurity Incident Reporting Council (CIRC), which released a 107-page report detailing a plan to simplify the reporting processes on Sept. 19. CIRC’s recommendations are “a first-of-its-kind effort” to clear up the “patchwork” rules currently in place, Silvers told Bloomberg.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the law that created CIRC, also created requirements that covered entities report attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Ransom payments must be reported within 24 hours.
CIRCIA’s rules are different than those established by other agencies such as the Securities and Exchange Commission (SEC), which recently adopted rules mandating that publicly traded companies disclose material incidents via Form 8-K. Agencies also don’t necessarily share common terminology or definitions of what a cyber incident is, let alone other specifics like what constitutes an “initial report.”
“We’re talking NSA, we’re talking CISA, we’re talking the Office of the National Cyber Director, we’re talking FBI, we’re talking sector risk-management agencies like Coast Guard or DOT [Department of Transportation] or DOE [Department of Education],” Will Loomis, associate director at the Atlantic Council’s Cyber Statecraft Initiative, told IT Brew last year of the requirements.
Suggestions in the report include adopting a “model definition of a reportable cyber incident wherever practicable,” creating standardized cyber reporting forms and processes any agency can implement, allowing updates and supplements to existing reports, and reconsidering the timelines for disclosure requirements. CIRC also proposed creating a single portal for federal cyber incident reporting, using common reporting technology and terminology across agencies, and improving inter-agency collaboration when acting on reports.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The maze of reporting requirements following an attack has been a frequent point of contention not just for entities in covered sectors, but for former CISA chief Chris Krebs.
Last year, Krebs told Black Hat 2022 attendees there should be one “front door that is clearly visible” whenever an entity is required to notify the federal government of an incident.
Krebs recommended CISA become that front door, which CIRC’s report does not call for. However, the CIRCIA reporting requirements will greatly expand the federal government’s threat intelligence on trends like ransomware, CISA’s current director Jen Easterly recently told attendees at DEF CON 31 in Las Vegas.
Another recommendation in the CIRC report that would require congressional action is exempting cyber incident reports from Freedom of Information Act (FOIA) requests, as the council concluded covered entities “frequently” bring up worries reports could become public knowledge even when such disclosure is not otherwise required.
As it currently stands, the report stated, entities may have to submit reports to multiple agencies that may have different rules in place on how to respond to FOIA, or how much information they will release.
“Reporting cyber incidents is critical to the nation’s cybersecurity: It allows us to spot trends in real-time, rapidly render assistance to victims, and share information to warn other potential targets before they become victims,” Easterly wrote in a statement.
“We also recognize that the need for this information must be balanced with the burdens placed on industry, ensuring that requirements are harmonized and streamlined as effectively as possible,” she added.