The Record from Recorded Future News’ Post

Is a big regulatory change coming to the U.S. critical infrastructure sector? Well, the Cybersecurity and Infrastructure Agency (CISA) has posted a notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law back in 2022. The rule in question would require critical infrastructure organisations, excepting small businesses, to report "substantial cyber incidents" within 72 hours of discovering them. The rule would also mandate CI organisations to report ransom payments within 24 hours. What happens now? As this piece in The Register lays out: "The proposal is scheduled to publish in the Federal Register on April 4, and from that time the public will have 60 days to submit written comments before the regulations become law. CISA expects to publish the final rule within 18 months after the public comment period closes." For more, read the full article, here: https://lnkd.in/gXv65FMN #teamnoggin #criticalinfrastructure #cisa

The DHS is shaking things up with new rules on critical infrastructure reporting! Get the dish from the expert @Christopher Warner from GuidePoint Security on #CyberIncidents and #Ransomware reporting. Private sector, you better play by the rules! Dive into the deets on Dark Reading. https://okt.to/fkUHN3 #CIRCIA #CISA

Learn about the latest critical infrastructure reporting rules proposed by the Department of Homeland Security. Gain valuable insights from Senior Security Consultant Christopher Warner, MBA, at @GuidePoint on #CyberIncidents and #Ransomware reporting requirements. Discover the significance of private-sector compliance in this process. Read more on Dark Reading about the new reporting requirements and next steps in the process. Explore the details here: https://okt.to/KDRkPX #CIRCIA #CISA

CISA is stepping up big time with these new rules(447 pages!). This whole setup where companies have to report cyber incidents quickly is a game-changer. The specifics about what counts as a reportable incident are pretty broad. This isn't just about catching the big fish but also about tracking the smaller ones that could signal bigger problems. And let’s talk about the paperwork—well, digital work. These companies aren’t just going to jot down a note on a sticky. They have to provide a ton of details, preserve them for years, and make sure they're ready to hand them over if CISA comes knocking. It sounds tedious, but it’s all in the name of tightening up security. There’s also a real push to make sure this doesn’t become an administrative nightmare with overlapping reports. The idea of streamlining so you don’t have to tell your story to ten different government agencies is a relief. Hopefully, CISA can keep it all smooth so companies can focus on plugging the leaks rather than drowning in paperwork. Key Points Introduction of CIRCIA: Following major cyber incidents, such as the attack on Colonial Pipeline, Congress passed CIRCIA, aiming to establish a centralized reporting system for cyber incidents affecting critical infrastructure. CISA's Proposed Rulemaking: In March, the Cybersecurity and Infrastructure Security Agency (CISA) published a Notice of Proposed Rulemaking (NPRM) detailing the rules for this new reporting requirement, which mandates reporting significant cyber incidents within 72 hours and ransom payments within 24 hours. Scope of the Rule: The proposed rules apply to all significant entities except small businesses, except those in high-risk categories like rural hospitals and nuclear facilities. The rules outline what constitutes a covered cyber incident, including substantial losses or disruptions caused by various cyber threats. Reporting Mechanisms: Entities must report through a CISA-approved web form or other methods, detailing the incident, its impact, and other relevant information. There are specific scenarios where reporting is mandatory, including direct incidents, ransom payments, and significant new information after an initial report. Exemptions and Coordination: There are exemptions if similar information is reported to another federal agency under existing laws or agreements. CISA is working to minimize overlap with other reporting requirements. Preservation and Enforcement: Entities are required to preserve detailed records of incidents for two to three years. CISA has enforcement powers, including subpoenas and financial penalties, to ensure compliance. Impact and Timeline: The proposed rules will cover over 316,000 entities with substantial compliance costs anticipated; however, the benefits in terms of enhanced security and coordination are deemed significant. Final rules are expected by late 2025, with implementation in 2026.

Department of Homeland Security introduces new regulations for reporting on critical infrastructure incidents MBA, Senior Security Consultant at GuidePoint Security, shed light on the criteria for reporting #CyberIncidents and #Ransomware, emphasizing the significance of private-sector adherence. Explore more about Warner's perspectives and the upcoming reporting procedures at Dark Reading. https://okt.to/VlYdkC #CIRCIA #CISA

CISA wants ‘high-quality feedback’ for another month on CIRCIA rule. Why it matters: 1. The extension of the public comment period for the proposed CIRCIA regulation could influence the final rule. Industries that requested the extension, such as energy and IT, hope to improve the rule to protect crucial infrastructure without creating onerous restrictions. 2. The regulation itself, along with any delays in its implementation, could impact CISA's efforts to track cyber incidents and ransomware payments, potentially affecting responses to cybersecurity threats. 3. Extensions might risk the regulation’s effectiveness, as industry sectors opposed to the rule could potentially 'game the system' by delaying their feedback, hindering CISA's ability to finalize the regulation within the stipulated timeline. Learn more by visiting The Record from Recorded Future News: https://lnkd.in/eNtaqZyF

The Cybersecurity and Infrastructure Security Agency (CISA) is moving forward with its breach reporting rules under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This expansion could soon require over 300,000 critical infrastructure entities across 16 sectors to report cyber incidents to the federal government. The current proposal outlines four types of incidents, including serious data loss, operational impacts, and ransomware payments, that must be reported within 72 hours. While the rules aim to enhance security, ambiguity around reporting thresholds and overlapping regulations with other federal agencies may remain. Smaller organizations, which may lack the resources to implement cybersecurity measures effectively, are encouraged to adopt platform-centric approaches and consult legal or sector-specific resources to clarify their status. Experts suggest entities should prepare by establishing an incident response plan, including budget and training for reporting requirements. Though the rules are expected to move forward with possible adjustments based on public feedback, there is uncertainty about how political changes might affect CISA’s jurisdiction in the future.

The impending deadline for federal agencies to fully implement #ZeroTrust security measures is a critical milestone in the government's #cybersecurity strategy. This deadline, set forth in a cybersecurity executive order, is designed to bolster the nation's defenses against cyber threats. While many agencies have made significant progress toward meeting this goal, the implementation process is complex and requires a comprehensive approach. Although the September deadline represents a significant step forward, it's important to note that it's not the end of the journey. Zero-trust security is an ongoing process that requires continuous monitoring, evaluation, and adaptation to evolving threats. As #federal agencies strive to meet the deadline and beyond, they must remain vigilant in their efforts to protect sensitive government information.   https://lnkd.in/dVKbuZwZ

CISA's new Notice of Proposed Rulemaking, the next step on the road to establishing the country's first ever cross-sectoral federal cybersecurity incident and ransomware payment reporting system, poses significance for over 300,000 soon-to-be "covered entities", including many that have not historically considered themselves part of a "critical infrastructure" industry but will nevertheless be swept up under these proposed rules. Along with the wide breadth of impacted entities, many healthcare and other entities already accustomed to reporting breaches on 30- or 60-day clocks under existing federal regimes will now find themselves required to make disclosures to the federal government on a statutorily mandated 72-hour clock. My colleagues Edward R. McNicholas, Jake Barr, and I discuss in more detail these implications for hundreds-of-thousands of businesses and summarize crucial next steps for these businesses to take to ensure compliance with the proposed rule in the below alert.