CISA Publishes RFI for Cyber Incident Reporting Rule

CISA published a request for information in Monday’s (available on line today) Federal Register (87 FR 55833-55836) to support their development of a congressionally mandated rulemaking for cybersecurity incident reporting (CSIR) under §2242(b) of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 (Division Y, PL 117-103, 136 STAT 1044). CISA has until March 15th, 2024 to publish a notice of proposed rulemaking (NPRM) to establish the CSIR regulations.

The RFI looks for public comments on the following categories of information:

• Definitions, criteria, and scope of regulatory coverage,

• Report Contents and Submission Procedures,

• Other incident reporting requirements and security vulnerability information sharing, and

• Additional policies, procedures, and requirements.

Definitions

Section 2240 (136 STAT 1039) from CIRCIA specifically requires CISA to define two terms; ‘covered cyber incident’ {constraints §2242(c)(1), 136 STAT 1044} and ‘covered entity’ {constraints §2242(c)(2), 136 STAT 1045}. In this notice CISA is asking for information about how those terms should be described. Since the broad pre-definition of ‘covered cyber incident’ in the legislation includes the term ‘substantial cyber incident’, CISA is also considering adding a definition in the rulemaking of that term. The term ‘cyber incident’, also referred to in the pre-definition, is already defined by reference to the definition of ‘incident’ in 6 USC 659, but CISA is asking for information about that definition as well.

CISA is also looking for information about the definition of the following terms that are already defined in §2240:

• Ransom payment,

• Ransomware attack, and

• Supply chain compromise.

Finally, CISA want help in deciding how to determine if an entity is “a multi-stakeholder organization that develops, implements, and enforces policies concerning the Domain Name System” {§2242(a)(5)(C), 136 STAT 1044}.

Report Contents

CISA is required {§2242(c)(4), 136 STAT 1046} to provide in the regulations a ‘clear description of the specific required contents of a report’, so they are asking for comments on how such a description could be crafted within the constraints of subsection (c)(4). The RFI reminds potential commentors that the purpose of the regulations is to “facilitate appropriate sharing of reports among federal partners”, presumably including other ‘covered facilities’ in the private sector.

CISA is also looking for comment on what constitutes “reasonable belief” that a covered cyber incident has occurred, which would initiate the time for the 72-hour deadline for reporting covered cyber incidents. Since the 72-hour deadline is set by law {§2242(a)(1)(A), 136 STAT 1043} comments on the time limit are not helpful in the rulemaking process.

CISA is also interested in similar comments on the reporting requirement for ransomware payments under §2242(c)(5) (136 STAT 1045). Similarly, comments are being sought on deadlines and criteria for submitting supplemental reports under §2242(c)(7) (136 STAT 1047).

Other Incident Reporting Requirements

CISA recognizes that there are already some (limited) cyber-incident reporting requirements set in law. Section 104(b)(1) (136 STAT 1055) of CIRCIA requires CISA to “periodically review existing regulatory requirements, including the information required in such reports, to report incidents and ensure that any such reporting requirements and procedures avoid conflicting, duplicative, or burdensome requirements”.

The RFI includes a section looking for information about such current reporting requirements, including:

• What agencies have such reporting rules?

• What are the costs associated with complying with such rules?

• What are the per incident costs of using a third-party reporting entity?

• What are the costs associated with data retention about cyber incidents?

• What should constitute “substantially similar reported information”?

• What should constitute “substantially similar timeframe”?

Additional Policy, Procedures and Requirements

In the closing section of the RFI, CISA broadly addresses:

• Enforcement processes (Section 2244, 136 STAT 1049),

• Information protection (Section 2245, 136 STAT 1051), and

• Any other items that might be worth covering in the regulations.

Public Comments

CISA is soliciting public comments on the RFI (duh). Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket # CISA-2022-0010). Comments should be submitted by November 14th, 2022.

Public Meetings

In a separate Federal Register notice, CISA is providing information about a series of public meetings that will address the RFI topics. The cities currently included in the meeting list include:

• Salt Lake City, Utah - September 21, 2022,

• Atlanta, Georgia - September 28, 2022,

• Chicago, Illinois - October 5, 2022,

• Dallas/Fort Worth, Texas - October 5, 2022,

• New York, New York - October 12, 2022,

• Philadelphia, Pennsylvania - October 13, 2022,

• Oakland, California - October 26, 2022,

• Boston, Massachusetts - November 2, 2022,

• Seattle, Washington - November 9, 2022, and

• Kansas City, Missouri - November 16, 2022

Personnel wishing to attend one of these listening sessions may register via email (circia@cisa.dhs.gov). Registration will be accepted up to two days prior to the meeting date.