At the RSA Conference 2024 in San Francisco, the Cybersecurity and Infrastructure Security Administration (CISA) has announced an extension of 30 days for the private sector to provide feedback on proposed Cyber Incident Reporting for Critical Infrastructure (CIRCIA) incident reporting rules. This move comes in response to the agency’s acknowledgment of its limited resources, which require a collaborative effort with the private sector to effectively combat cybersecurity threats.
The decision to extend the feedback window reflects CISA’s commitment to fostering an open and collegial relationship with private entities. With the ever-increasing complexity of cyber threats, the agency recognizes the need for input and cooperation from industry stakeholders to enhance the security posture of critical infrastructure. This collaborative approach is essential as CISA lacks the resources to tackle cybersecurity challenges on its own.
However, the introduction of additional reporting requirements, such as those outlined in the CIRCIA rules, raises concerns about the potential burden imposed on organizations already grappling with a myriad of regulatory obligations. In an environment marked by stringent Security and Exchange Commission regulations, state and local requirements, and recent enforcement actions, the prospect of more red tape has sparked fears of impeding incident response capabilities.
The CIRCIA legislation, enacted in 2022, mandated reporting of cyber attacks within 72 hours and ransom payments within 24 hours. As the rulemaking process moves forward at CISA, the agency finds itself in a challenging position. While lawmakers entrusted CISA with the task of collecting CIRCIA reports due to its standing as a cybersecurity leader, they failed to allocate additional funding for this critical function. This funding gap underscores the need for greater support from Congress to empower CISA in its cybersecurity efforts.
During a panel discussion at RSAC 2024, Moira Bergin, a former subcommittee director, highlighted the resource constraints faced by CISA and emphasized the importance of holding Congress accountable for providing necessary resources. Bergin’s remarks underscored the urgency of addressing the resource shortfall to ensure CISA’s effectiveness in safeguarding critical infrastructure.
In response to these challenges, CISA has emphasized the importance of streamlined reporting and coordinated cyber defense efforts. Executive director Brandon Wales stressed the significance of sharing incident data with the federal government as a means of bolstering national cybersecurity defenses. While enforcement measures exist for non-compliance, Wales highlighted the broader benefits that organizations stand to gain by contributing to a collective defense posture.
Collaboration between CISA and industry stakeholders, exemplified by partnerships with organizations like CrowdStrike through the Joint Cyber Defense Collaborative (JCDC), underscores the shared commitment to enhancing cybersecurity resilience. As the final implementation of CIRCIA reporting requirements approaches, stakeholders are urged to seek clarity on the scope and definitions of covered incidents to ensure compliance.
As CISA continues to solicit feedback on the CIRCIA rules through the Federal Register until July 3, the private sector is encouraged to actively engage in the rulemaking process. By fostering a culture of collaboration and transparency, CISA and its stakeholders can work together to strengthen the nation’s cyber defenses and mitigate the evolving threat landscape.