The Department of Homeland Security delivered a 100-page report on Tuesday with recommendations on how to revamp the thicket of cyber incident reporting requirements faced by U.S. critical infrastructure operators.
Developed by the Cyber Incident Reporting Council — a body made up of multiple federal agencies including the Office of the National Cyber Director, Federal Trade Commission and the Departments of Energy, Treasury, Defense and Justice — Tuesday’s report found that critical infrastructure entities face a dizzying 45 active reporting requirements from 22 different federal agencies and and an additional five under consideration.
Harmonizing these requirements is a part of a larger Biden administration effort to develop more effective cyber policy, which has been shaped by an ad hoc approach from multiple agencies with varying authorities and resources.
“Reporting cyber incidents is critical to the nation’s cybersecurity: It allows us to spot trends in real-time, rapidly render assistance to victims, and share information to warn other potential targets before they become victims,” CISA Director Jen Easterly said in a statement. “We also recognize that the need for this information must be balanced with the burdens placed on industry, ensuring that requirements are harmonized and streamlined as effectively as possible.”
The Cyber Incident Reporting Council worked with more than 30 federal agencies in developing their recommendations. While CISA’s proposed rule on cyber incident reporting is not expected until next year, the report will shape the rule.
The council’s report was required under the Cyber Incident Reporting for Critical Infrastructure Act, a landmark bill that seeks to harmonize existing cyber incident reporting requirements and require new ones for critical infrastructure owners and operators.
Having a unified reporting requirement across critical infrastructure is expected to help both the private sector and federal government better understand the threat landscape while also assisting in prioritization efforts, and Tuesday’s report recommends that the requirements and submission process for incident reporting be as uniform as possible across sectors.
Within cyber incident reporting, the varying requirements represent a “significant challenge to harmonizing current” reporting requirements, the report notes. What qualifies as an incident, how soon an incident should be reported and how it should be reported are among the issues that need to be simplified, according to the report.
The report recommends that the federal government have a model definition for a “reportable cyber incident” and that agencies should examine whether they can adapt to such a definition. Agencies that have reporting requirements should also consider delayed public notifications if public notification poses a national security risk, the report notes.
The council’s report recommends that incidents that impact “national and economic security and safety” may need to be reported more promptly than the 72 hours that is the current reporting timeline under CIRCIA. Impacts to personal private information may be treated with greater flexibility, the council’s report suggests.
Additionally, the report argues that the process for engaging with victims should be improved so multiple agencies are not asking for the same information.
Updated incident reporting rules to be more in line with one another will likely be a long process. Such procedures can last months if not years — assuming the agency even has the authority to make such changes, the report warns. The Environmental Protection Agency, for example, told the council that the agency does not have the authority to require reporting from utilities.