DHS Proposes Critical Infrastructure Reporting Rules

The Department of Homeland Security today previewed a set of proposed rules for how critical infrastructure organizations should report cyber incidents to the federal government.

The reporting process will be overseen by the Cybersecurity and Infrastructure Security Agency (CISA), a stipulation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The proposed rules will officially be published on April 4; DHS offered no explanation for what amounts to an early release.

CIRCIA was signed into law in March 2022 with the goal of improving America's cybersecurity by being able to deploy resources faster as well as assist victims in the face of cyberattacks, among other objectives. Under CIRCIA, CISA is required to "promulgate regulations implementing the statute's covered cyber incident and ransom payment reporting requirements for covered entities," DHS said in its March 27 preview. 

Official release of 447-page document opens public comment on the proposed rules — what they should contain and how they should be administered, among other requirements.

Chris Warner, OT security strategist at GuidePoint Security, noted that while certain challenges arise with this kind of policymaking, it also poses substantial advantages. 

"The legislation has significant potential benefits for private organizations that operate over 70% of the nation's critical infrastructure," Warner wrote in an emailed statement. "The enforcement of reporting an attack within 72 hours and a ransom payment within 24 hours could help identify these events so they are reported."