- Los CIO consideran que la gestión de costes puede acabar con el valor de la IA
- 칼럼 | AI 에이전트, 지금까지의 어떤 기술과도 다르다
- The $23 Echo Dot deal is a great deal to upgrade your smart home this Black Friday
- Amazon's Echo Spot smart alarm clock is almost half off this Black Friday
- The newest Echo Show 8 just hit its lowest price ever for Black Friday
CISA Launches New Cyber Incident Reporting Rules
The US Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a new draft for updated rules on cyber reporting for critical infrastructure organizations.
In an effort to update its Cyber Incident Reporting for Critical Infrastructure (CIRCIA) Act of 2022, CISA released the first draft of new proposed rules, which will be published in the Federal Register on April 4.
These rules will apply to all US defense contractors considered to operate critical infrastructure under the DFARS clause 252.204-7012.
All organizations that fall within the 16 critical infrastructure sectors, as defined by CISA, will be obliged to report cyber incidents to the agency within 72 hours after it occurred under the legislation.
Additionally, ransom payments made in response to a ransomware attack must be reported within 24 hours after the ransom has been made.
US Defense Contractors to Double Report to Both CISA and DoD
The new 447-page document describes the steps that “covered entities” must take when they experience a cyber incident or a ransom request.
These include reporting to CISA when in any of the four following situations:
- Substantial loss of confidentiality, integrity, or availability
- Serious impact on safety and resiliency of operational systems and processes
- Disruption of ability to engage in business or industrial operations
- Unauthorized access facilitated through or caused by a supply chain compromise or the compromise of a cloud service provider (CSP), managed service provider (MSP) or other third-party data hosting provider
In the document, CISA suggested coercive actions for fake reporting or non-compliance, such as the ability to subpoena the entity or report it to the US Justice Department (DoJ).
Although CISA acknowledged that most – if not all – covered entities already have to report the same incidents to the US Defense Department (DoD), the agency “nevertheless is proposing to include them within the CIRCIA Applicability section.”
“This will ensure that the Federal government receives information necessary to identify cyber threats, exploited vulnerabilities and techniques, tactics and procedures (TTPs) that affect entities in this community and in other interdependent critical infrastructure sectors, even if changes are made to what must be reported pursuant to the DFARS regulation, over which CISA has no authority,” reads the draft.
Covered entities have 60 days to send CISA feedback on the new proposed rules.