The Department of Homeland Security (DHS) has released a new report looking to wrangle the different avenues in which the Federal government and its agencies report cyber incidents in a more ‘reportable’ fashion.
The report, titled “Harmonization of Cyber Incident Reporting to the Federal Government” and released on Sept. 19, comes as there are currently over 45 different cyber incident reporting requirements at the Federal level.
“It is imperative that we streamline these requirements,” DHS Under Secretary for Policy Rob Silvers, chairman of the Cyber Incident Reporting Council (CIRC), said in a statement released with the report. “Federal agencies should be able to receive the information they need without creating duplicative burdens on victim companies that need to focus on responding to incidents and taking care of their customers.”
The recommendations in the report were developed in part by the CIRC and include the following:
- The Federal government should adopt a model definition of a reportable cyber incident wherever practicable;
- The Federal government should adopt model cyber incident reporting timelines and triggers wherever practicable;
- Agencies with requirements for covered entities to provide notifications to affected individuals or the public should consider whether a delay is warranted when such notification poses a significant risk to critical infrastructure, national security, public safety, or an ongoing law enforcement investigation;
- The Federal government should adopt a model reporting form for cyber incident reports wherever practicable;
- The Federal government should assess how best to streamline the receipt and sharing of cyber incident reports and cyber incident information, including through improvements to existing reporting mechanisms or the potential creation of a single portal;
- Federal cyber incident reporting requirements should allow for updates and supplemental reports; and
- The Federal government should adopt common terminology regarding cyber incident reporting wherever practicable.
The Cybersecurity and Infrastructure Security Agency (CISA) will use the recommendations to make informed decisions on the ongoing rulemaking process for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
CIRCIA – which was signed into law in March 2022 – requires CISA to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments to the government.
CISA Director Jen Easterly said that CISA is currently finishing up work on the Notice of Proposed Rulemaking for its cyber incident reporting rule, which she said “should be out later this year or early next year.”
“In the critical period immediately following a cyberattack, our private sector partners need clear, consistent information-sharing guidelines to help us quickly mitigate the adverse impacts,” said Secretary of Homeland Security Alejandro N. Mayorkas. “The recommendations that DHS is issuing today provide needed clarity for our partners.”
