As the Cybersecurity and Infrastructure Security Agency (CISA) prepares to issue its final rule to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), the agency is also preparing to implement new technology solutions and hire additional staff to help with the coming influx in cyber incident reports.
A new Government Accountability Office (GAO) report found that CISA has implemented the 13 requirements from CIRICA that were due by March 2024 – such as developing and publishing a proposed rule.
CISA officially published the proposed rule to the Federal Register on April 4, giving the public 60 days to submit written comments. July 3 was the deadline for the public to submit comments to help inform the final rule – which CISA expects to publish within 18 months of the close of the comment period.
CIRCIA – signed into law by President Biden in March 2022 – requires CISA to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments to the government.
Under the law, critical infrastructure owners and operators are obligated to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments they made to attackers within 24 hours.
However, CISA officials told the watchdog agency that they still face several challenges as they prepare to implement CIRCIA.
“Specifically, CISA anticipates receiving an increased number of mandatory and voluntary reports that the agency will be required to review and act on within a short time frame. CISA officials stated that the agency lacked sufficient technology and staff to effectively handle these cyber incident review requirements,” the GAO report says.
CISA and interagency partners currently share incident reports through “manual processes,” according to the report. The agency said automation, such as an automated mechanism for entities to share reports “could help reduce burdens for reporting entities.”
“To address these challenges, CISA plans to update and implement new technology solutions and hire additional staff,” the report says. “Specifically, officials stated they are actively working to develop critical technology projects, such as an incident reporting portal to accept cyber incident reports, a unified ticketing system, and other integrated tools.”
As for hiring additional staff, CISA said it plans to hire new staff “who would be responsible for the handling of cyber incident reports … closer to the date when they might expect to receive those reports (between June and October 2024).”
“If CISA is able to implement the new technology solutions and hire the additional staff it needs to process the CIRCIA cyber incident reports, it may be able to address the identified challenges,” GAO concludes.