CISA Releases Notice on Long-Awaited Critical Infrastructure Reporting Guidelines
Author : Radio China    Time : 2024-04-02    Source :

The Cybersecurity and Infrastructure Security Agency (CISA) has finally released the much-awaited notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This rule aims to compel covered entities to promptly report cyber disruptions and ransomware payments.

Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), covered entities are obligated to report significant cyber incidents within 72 hours of discovery, and ransom payments must be reported within 24 hours. The objective of this proposed rule is to enhance coordination among federal authorities in responding to critical infrastructure threats and facilitate the sharing of crucial information with industry and government partners.

CISA Director Jen Easterly emphasized the significance of CIRCIA, stating that it will revolutionize cybersecurity efforts by enabling better threat understanding, early detection of adversary activities, and more coordinated responses with both public and private sector stakeholders.

According to CISA's estimates, the proposed rule is anticipated to incur costs of $2.6 billion over the analysis period, potentially affecting over 316,000 entities. However, there remains ambiguity regarding which entities will be fully subject to compliance under the new rule, with further debate expected on this matter.

Analysts point out that while UnitedHealth Group, a key player in the recent cyberattack at Change, would be considered a critical infrastructure provider under current definitions, there's uncertainty about whether entities like Change Healthcare, responsible for the recent sector-wide disruption, fall under the existing framework.

The Department of Homeland Security, under which CISA operates, made the unpublished notice available for public inspection on the Federal Register website on Wednesday. The notice is set for formal publication on April 4, followed by a 60-day comment period to solicit feedback from the public.

Stay updated on the latest developments within Mission/business critical communications ecosystem. Sign up for our newsletter by registering your e-mail address.