The Cybersecurity and Infrastructure Security Agency (CISA) said the agency is aiming to begin a rulemaking process to implement mandatory cyber incident reporting rules for critical infrastructure owners and operators included in the Fiscal Year 2022 omnibus spending bill signed into law by President Biden last month.
The Cyber Incident Reporting for Critical Infrastructure Act, which was approved as part of the spending bill, obligates critical infrastructure owners and operators to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments they made to attackers within 24 hours.
Implementation of the new reporting rules awaits CISA’s rulemaking on how to put the law into action, and in the process decide, among other things, what kinds of entities will be covered by the law.
In a fact sheet issued on April 7, CISA said it applauds the new law, and “will now undertake a rulemaking process to implement the statutory requirements.” The agency did not offer a timeline for that process.
In the meantime, CISA said it continues to “encourage our stakeholders to voluntarily share information about cyber-related events that could help mitigate current or emerging cybersecurity threats to critical infrastructure.”
When cyber incidents are reported quickly, CISA can use this information to render assistance and provide a warning to prevent other organizations and entities from falling victim to a similar attack,” the agency said. “This information is also critical to identifying trends that can help efforts to protect the homeland.”