May 9, 2024 at 08:13PM
CISA extends the feedback period for proposed CIRCIA incident reporting by 30 days. Concerns of additional red tape on cybercrime victims arise. CIRCIA law, requiring reporting within specific time frames, is in final stages at CISA. Congress allocated no extra resources for CISA to fulfill its responsibilities. CISA stresses coordinated cyber defense efforts. Organizations like CrowdStrike support CIRCIA reporting. Private sector advised to provide feedback by July 3.
Based on the meeting notes, it is clear that there are concerns within the private sector regarding the proposed Cyber Incident Reporting for Critical Infrastructure (CIRCIA) rules. The Cybersecurity and Infrastructure Security Administration (CISA) has extended the feedback window by 30 days, recognizing the potential impact of imposing additional disclosure deadlines on the private sector. Additionally, there are concerns about the lack of resources available to CISA as they take on the responsibility of collecting CIRCIA reporting without additional funding from Congress.
CISA’s executive director, Brandon Wales, emphasized the importance of the private sector sharing incident data with the federal government as a gesture of goodwill to strengthen the country’s cyber defenses. However, failure to comply with the regulation could result in organizations being banned from doing business with the federal government. Despite the potential benefits for the overall cyber defenses of the country, individual enterprise victims may not see a direct benefit from sharing their intelligence with CISA.
There is an emphasis on the need for clear definitions of what is covered under the CIRCIA reporting rules, and organizations are encouraged to submit recommendations on the rules via the Federal Register through July 3. It is evident that there is a call for the private sector to continue engaging in the rulemaking process and push for clarity on the regulations.
In conclusion, the meeting notes highlight the complexities and challenges associated with the proposed CIRCIA reporting rules, as well as the ongoing efforts by CISA to engage with the private sector and address their concerns.