CISA Executive Director Brandon Wales on the Impact of CIRCIA
In March 2022 President Biden signed into law CIRCIA, marking an important milestone in improving America’s cybersecurity.
CIRCIA is the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
In March 2022 President Biden signed into law CIRCIA, marking an important milestone in improving America’s cybersecurity by, among other things, requiring CISA to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.
These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.
CIRCIA includes a number of requirements related to the required reporting and sharing of covered cyber incidents, including the following:
- Cyber Incident Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents no later than 72 hours from the time the entity reasonably believes the incident occurred.
- Federal Cyber Incident Report Sharing: Any federal agency, including independent establishments, receiving a report on a cyber incident after the effective date of the Final Rule must share that report with CISA no later than 24 hours.
- Cyber Incident Reporting Council: DHS was required to establish and Chair an intergovernmental Cyber Incident Reporting Council (Council) to coordinate, deconflict, and harmonize federal incident reporting requirements.
Coalfire, the world’s largest firm dedicated to cybersecurity services, wrote in this article their views of the program, raising some very practical concerns and considerations about how such a complex scheme may be administered, in terms of the challenges of scale and also what the unplanned consequences might be for those following the reporting.
In this interview learn about how CISA has been working with stakeholders to develop a proposed rule on cyber incident reporting for critical infrastructure, the aggressive cyber threat environment, and why everyone should report cyber incidents now and not wait for the final rule.