US critical infrastructure cyberattack reporting rules inch closer to reality

America's long-awaited cyber attack reporting rules for critical infrastructure operators are inching closer to implementation, after the Feds posted a notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

President Joe Biden signed CIRCIA into law in March 2022, and that set a timer for the US Cybersecurity and Infrastructure Agency (CISA), which had two years to propose a rule.

As proposed, the 447-page rule [PDF] would require organizations that fall under any of the United States' 16 critical infrastructure sectors to report "substantial cyber incidents" within 72 hours of discovering them. This essentially includes any digital intrusion that leads to substantial harm, poses a significant threat to the organization's ability to function, or threatens national security, public health, or safety.

"These reports will allow us to rapidly deploy resources and render assistance to victims suffering an attack, analyzing and cutting reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims," a senior CISA official told reporters on Wednesday.

Leave a Comment