CISA Courts Private Sector to Get Behind CIRCIA Reporting Rules

RSA CONFERENCE 2024 – San Francisco – The Cybersecurity and Infrastructure Security Administration (CISA) has tagged an additional 30 days onto the window for the private sector to provide feedback on proposed Cyber Incident Reporting for Critical Infrastructure (CIRCIA) incident reporting rules. The agency has to maintain an open and collegial relationship with the private sector because it simply doesn't have the resources necessary to do the job in-house.

But the reality of imposing another set of disclosure deadlines, on top of Security and Exchange Commission regulations (and enforcement) and state and local requirements, brings concerns about potentially piling more red tape onto victims of a cybercrime, and ultimately slowing down incident response.

CIRCIA was signed into law in 2022, requiring reporting an attack within 72 hours and any ransom payments within 24 hours, and has now moved to the end stages of rulemaking at CISA. Lawmakers placed the responsibility of collecting the information on CISA because of the agency's existing ability to act as a "convening authority" for the cybersecurity sector at large, according to Moira Bergin, who served as a subcommittee director under the House Committee on Homeland Security and helped to establish the legislation. However, after saddling CISA with the responsibility of collecting CIRCIA reporting, Congress denied any additional funding to help them resource up for the job.

"We need to hold Congress accountable; CISA has not gotten the resources they've requested," Bergin said during a panel discussion at RSAC 2024.

Now CISA is stuck — and asking for help from the same group it's required to regulate.

Streamlined Reporting, Coordinated Cyber Defense

CISA executive director Brandon Wales tried to downplay enforcement and instead implored the cyber community to view sharing their incident data with the federal government as a gesture of goodwill to shore up the entire country's cyber defenses. Bergin, however, reminded the audience that failure to comply with the regulation could result in organizations being banned from doing any business with the federal government.

Individual enterprise victims won't likely see a direct benefit from sharing their intelligence with CISA, Wales explained, but will see improvements in the long run as the agency is able to do a better job at defending because it is aided by data from across the US infrastructure ecosystem.

Wales added that CISA is trying to become the singular repository for incident reporting, meaning organizations that have overlapping oversight from federal and state agencies could see a simpler process following the implementation of CIRCIA reporting rules.

Large cyber organizations like CrowdStrike have been working with CISA through the Joint Cyber Defense Collaborative (JCDC), while also acting as a vendor to the agency. Drew Bagley, CrowdStrike's vice president and council, privacy and cyber policy, said the company is prepared to continue its dual role of contributing to what he calls the "whole-of-community response" through the JCDC, CIRCIA reporting, and more, in tandem with the company's work as a threat intelligence vendor for CISA.

As the clock counts down to the final implementation of CIRCIA reporting requirements, Bagley recommends the private sector continue to push for clear definitions of what is covered under the rules.

"The private sector should pay attention to how a covered entity is defined and what a covered incident is," Bagley added.

CISA will accept recommendations on CIRCIA rules via the Federal Register through July 3.