Priya PatelTLDR:
- CISA has released a 447-page draft of a cyber incident reporting rule for critical infrastructure organizations.
- The rule requires reporting of cyber incidents within 72 hours and ransomware payments within 24 hours.
The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a draft of a new rule outlining how critical infrastructure organizations should report cyberattacks. The 447-page set of regulations, posted to the Federal Register, is part of the Cyber Incident Reporting for Critical Infrastructure Act passed in 2022. The rule mandates reporting of cyber incidents and ransomware payments within specific time frames to bolster the government’s ability to track incidents. Secretary of Homeland Security Alejandro Mayorkas highlighted that the information gathered will aid in responding to incidents, identifying vulnerabilities, and enhancing cybersecurity across critical infrastructure sectors.
The rule covers 16 critical infrastructure sectors including manufacturing, energy, financial services, healthcare, transportation, and water utilities. CISA estimates the cost of enforcing the rule over the next 11 years to be $2.6 billion, with the industry bearing $1.4 billion of the cost. CISA Director Jen Easterly emphasized that the rule will allow for more coordinated action with public and private sectors to combat cyber threats, calling it a “game changer.” However, there are concerns raised by cybersecurity experts about the limitations and delays in the drafting of the rule.
Some experts feel that the rule’s scope is limited and could be more inclusive of smaller organizations. Others have raised questions about the timeliness of the rule’s implementation in light of recent cyber threats. Despite these concerns, the public will have a 60-day period to comment on the draft before it is revised and officially enforced in the next 18 months.
