CISA issues RFI on new cyber incident reporting requirements

Privacy, Cyber Risk & Data Security Agency Rule-Making & Guidance CISA Ransomware

On September 9, the Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) from critical infrastructure owners and operators on how to develop new data breach reporting regulations related to ransomware and other malicious attacks. The RFI will inform CISA’s promulgation of proposed regulations as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Specifically, the agency is requesting feedback on definitions and terminology for the proposed rules, the form and content of reports, incident reporting requirements, enforcement procedures, and information protection policies. Once the final regulation is published, CISA will use information obtained from cyber-incident reports submitted by covered entities to “deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends and understand how malicious cyber actors are perpetrating their attacks, and quickly share that information with network defenders to warn other potential victims,” the RFI explained. CISA will also host a series of public listening sessions across the country to receive additional input as it develops the proposed regulations. Comments on the RFI are due November 14.