Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced their plans to issue a Request for Information (RFI) soliciting public input on approaches to implementing the cyber incident reporting requirements, pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which President Biden signed into law in March 2022. The RFI will publish in the Federal Register on Monday, September 12 and provide the public with 60 days to provide their written submissions.
CIRCIA requires CISA to develop and publish a Notice of Proposed Rulemaking (NPRM) for public comment and review, containing proposed regulations for cyber incident and ransom payment reporting. The RFI solicits input from the critical infrastructure community and other members of the public, and that input will inform the agency’s development of the proposed regulations.
Timely cyber incident reporting allows CISA to rapidly deploy resources and render assistance to victims suffering attacks, identify emerging threats and trends, and quickly share threat information with federal partners and network defenders to take protective action and warn other potential victims.
“The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a game changer for the whole cybersecurity community and everyone invested in protecting our nation’s critical infrastructure. It will allow us to better understand the threats we are facing, to spot adversary campaigns earlier, and to take more coordinated action with our public and private sector partners in response,” said CISA Director Jen Easterly. “We can’t defend what we don’t know about and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats. We look forward to continuing to learn from the critical infrastructure community – through our request for information and our coast-to-coast listening sessions – to understand how we can implement the new cyber incident reporting legislation in the most effective way possible to protect the nation’s critical infrastructure.”
In addition to providing the opportunity to submit written comments in response to the RFI, CISA announced today it will be hosting public listening sessions across the country to receive in-person input from the American people to inform the development of the proposed regulations.
The Department of Homeland Security is also leading the newly established Cyber Incident Reporting Council, which was created by CIRCIA to better harmonize the various existing federal cyber incident reporting structures. The work of the Council will inform, as appropriate, the new proposed rule.
Detailed information about the RFI and the upcoming listening sessions, including dates, locations and how to register, is available on CISA’s website at cisa.gov/CIRCIA.