Date: 20 Oct 2022
The Cybersecurity and Infrastructure Security Agency (CIS) issued a request for information (RFI) on September 12, 2022 seeking input on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) that was signed by President Biden in March.
CIRCIA requires CISA to implement regulations requiring covered entities to report information about covered cyber incidents and ransom payments to CISA. CISA has 24 months to publish a Notice of Proposed Rulemaking (NPRM) to the Federal Register. CISA gathering public inputin advance of publishing the NPRM. While commenters can provide input on any aspect of CIRCIA, CISA is specifically seeking input in a few key areas.
DEFINITIONS: of key statutory terms whose meaning CIRCIA left to CISA rulemaking, including what constitutes a “covered entity” and a “covered cyber incident.”
METHODS: the form, manner, content, and procedures for submission of reports required by CIRCIA.
DUPLICATION: areas where obligations under CIRCIA may duplicate or conflict with existing cyber reporting obligations.
IMPLEMENTATION REQUIREMENTS: such as enforcement procedures and information protection policies, that will be required to implement CIRCIA.
The RFI process is expected to inform CISA’s rulemaking and ultimately provide additional clarity on who the law applies to, when reporting will be required, and the contents of any required reporting. In addition to accepting public written comment, CISA is holding public listening sessions in various locations through November this year.