A new report has been released by the Cyber Incident Response Coordination Working Group (CIRC) that recommends the creation of model timelines and triggers for reporting cyber incidents. The report, which was created in response to a request by the U.S. Department of Homeland Security (DHS), aims to streamline the reporting process and harmonize requirements across different agencies.
The report outlines that a “reportable cyber incident” includes compromises of information systems, networks, or operational technologies of customers or third parties, as well as business or operational disruptions caused by compromises of cloud service providers, managed service providers, or other data hosting providers.
One of the key recommendations in the report is the establishment of model timelines and trigger provisions for reporting cyber incidents. The report suggests that a covered entity should submit an initial written report to the required agency or agencies within 72 hours of the entity reasonably believing that a reportable cyber incident has occurred. However, the report also acknowledges that certain incidents may require shorter or longer reporting timelines based on national and economic security, safety, consumer protection, and privacy considerations. It also suggests that entities should have the ability to determine the full impact of an incident before notifying affected individuals, local governments, or the media.
In addition to the model timelines, the report also includes several other recommendations. These include considering delays in notifications when there is a significant risk to critical infrastructure, national security, public safety, or ongoing law enforcement investigations. The report also suggests studying how to streamline the receipt and sharing of cyber incident reports to avoid duplication and comparing incident data provided to different agencies at different times. It recommends allowing for updates and supplemental reports as cyber incidents evolve, creating a common terminology for incident reporting, and improving the process for engaging with reporting entities to avoid confusion and duplication.
However, implementing the recommendations in the report may require legislative changes. The report recommends that Congress remove any legal or statutory barriers to harmonization and authorize agencies to align their regulatory requirements with the CIRC recommendations. It also suggests providing funds for agencies to collect and share common cyber incident data elements. Furthermore, the report proposes exempting cyber incident information reported to the federal government from disclosure under the Freedom of Information Act (FOIA) or similar mechanisms, in order to protect sensitive information from threat actors.
The reaction to the report has been cautiously optimistic. The Information Technology Industry Council has commended the actionable recommendations and the potential for improved security outcomes while reducing the burden on critical infrastructure partners. However, it is expected that there will be pushback on some of the recommendations, as evidenced by the comments submitted to the DHS in response to a request for information on cyber incident reporting regulations.
The report marks the starting point for discussions and further collaboration between agencies, local and foreign governments, and industry stakeholders to determine the best way to adopt the recommendations and overcome any legal or statutory limitations. This effort is part of a broader initiative to enhance cybersecurity and strengthen the nation’s resilience against cyber threats.