CISA Should Revise Draft Cyber Rule
Requirements proposed earlier this year by the Department of Homeland Security鈥檚 Cybersecurity and Infrastructure Security Agency are overbroad and would prove burdensome to manufacturers if adopted, the 17吃瓜在线 the Biden administration last week.
What鈥檚 going on: In April, CISA published draft rulemaking under the Cyber Incident Reporting for Critical Infrastructure Act of 2022鈥攕cheduled to go into effect next year鈥攖hat would require 鈥渃overed entities鈥 in 鈥渃ritical infrastructure sector[s]鈥 to report major cyber incidents to CISA within 72 hours. It also mandated that any ransomware payments be reported within just 24 hours.
Why it鈥檚 a problem: The proposed rulemaking could affect more than 300,000 entities, according to CISA鈥檚 own estimate聽(). Many of these organizations are either not truly 鈥渃ritical infrastructure鈥 or too small to have the resources to undertake the outlined actions in the specified time, the 17吃瓜在线 told CISA.
- Furthermore, the regulations themselves are too expansive, mandating the reporting of incidents that do not even affect the operation of critical infrastructure.
- They also require huge amounts of information in a short period鈥攆rom companies in the throes of recovery from devastating cyberattacks.
The 17吃瓜在线 says: 鈥淸T]he 17吃瓜在线 respectfully encourages the agency to drastically reduce the number of entities required to report, and the number of incidents they have to report,鈥 17吃瓜在线 Vice President of Domestic Policy Charles Crain told the agency during the public comment period on the proposed regulation, which ended last week.
- 鈥淒oing so will ensure that CISA receives useful information about cybersecurity incidents鈥攚ithout overburdening manufacturers with overbroad and unworkable disclosure requirements.鈥
What to do: In addition to narrowing the scope of 鈥渃overed entities,鈥 CISA should revise several aspects of the rulemaking before implementing it, the 17吃瓜在线 said. Changes should include:
- Limiting the volume of reported cyber-incident information;
- Narrowing the scope of reportable cyber incidents; and
- Lightening and safeguarding the contents of cyber-incident reports.