The Department of Homeland Security's cybersecurity watchdog is set to get a little more bite to its bark with "game-changing" rules that mandate immediate reporting of details on attacks on critical infrastructure.
The US Cybersecurity and Infrastructure Security Agency (CISA) said that it is moving forward with the rules that would be enforced under the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
Since the 2022 passage of the bill, CISA and the DHS have been drafting and hammering out the details for how the new rules could be implemented and enforced. With another notice set to go live on April 4, the agency hopes that it is entering the home stretch.
"CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents, and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors," said Homeland Security Secretary Alejandro Mayorkas.
"The proposed rule is the result of collaboration with public and private stakeholders, and DHS welcomes feedback during the public comment period on the direction and substance of the final rule.”
A key part of the CIRCIA text includes provisions that direct CISA to create rules and provisions that would require companies in certain industries to promptly disclose and detail incidents such as network intrusions and ransomware attacks.
According to Capital Hill news site NextGov, those proposed changes could include the power to issue subpoenas.
CISA already allows voluntary reporting of cybersecurity incidents.
The hope is that the CIRCIA rules will allow CISA to dramatically increase its database and resources for private companies who contract with the government or work in the critical infrastructure areas often targeted by adversaries.
CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” CISA director Jen Easterly said of the bill.
"It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats."
One area likely to be of key interest to CISA will be embedded devices and operational technology networks.
Earlier this month, a report from the Government Accountability Office (GAO) blasted the agency for failing to adequately staff and manage its OT-specific operations as well as its vulnerability database.
