DHS Takes Major Step on Rules for Reporting Cyberattacks

March 29, 2024
The proposed rules are now in an open comment period for 60 days, allowing for public suggestions

On March 27, the Federal Register “posted for public inspection the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Notice of Proposed Rulemaking (NPRM), which CISA was required to develop by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This marks a major step in bolstering America’s cybersecurity.”

CIRCIA’s implementation should “improve CISA’s ability to use cybersecurity incident and ransomware payment information reported to the agency to identify patterns in real-time, fill critical information gaps, rapidly deploy resources to help entities that are suffering from cyber attacks, and inform others who would be potentially affected.” The public will have 60 days to “submit written comments to inform the direction and substance of the Final Rule” once it is published in the Federal Register.

Secretary of Homeland Security Alejandro N. Mayorkas touts CIRCIA’s enhancement of the department’s “ability to spot trends, render assistance to victims of cyber incidents, and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors.”

CISA has solicited input from “public and private sector stakeholders” since 2022. The NPRM contains “proposed regulations for cyber incident and ransom payment reporting, as well as other aspects of the CIRCIA regulatory program.”

CISA’s website has the news release.