March 28, 2024 at 06:06AM
The US Cybersecurity and Infrastructure Security Agency (CISA) is seeking input on the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), estimated to impact 316,000 entities. The proposed rules’ costs are estimated at $2.6 billion over 11 years, with reporting requirements and the creation of cyber task forces. President Biden signed CIRCIA into law in March 2022.
From the meeting notes, I have identified the following key takeaways:
1. The US Cybersecurity and Infrastructure Security Agency (CISA) is seeking input on the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
2. CIRCIA, signed into law by President Biden in March 2022, aims to enhance the ability to spot trends, assist cyber incident victims, and share information quickly with potential victims across critical infrastructure sectors.
3. CISA has announced a notice of proposed rulemaking (NPRM) to solicit written comments on the CIRCIA proposal over a 60-day period starting on April 4.
4. The proposed rules’ costs are estimated to total $2.6 billion over an 11-year period, impacting around 316,000 entities, and leading to an expected influx of more than 210,000 CIRCIA reports.
5. CISA has requested $116 million for the CIRCIA program for fiscal year 2025, focusing on staffing, processes, and technology.
6. CIRCIA requires covered entities to report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours.
7. The act has also led to the establishment of the Joint Ransomware Task Force (JRTF) and the Ransomware Vulnerability Warning Pilot (RVWP) Program to address cyber threats and vulnerabilities in critical infrastructure systems.
These takeaways reflect the key points discussed during the meeting regarding the implementation and impact of the CIRCIA legislation and CISA’s efforts in response to cyber threats and incidents within critical infrastructure.