(4) potential operational disruption to other critical infrastructure systems or assets.
The term “reportable cyber incident” includes, but is not limited to, indications of compromises of information systems, networks, or operational technologies of customers or other third parties as well as a business or operational disruption caused by a compromise of a cloud service provider, managed service provider, or other third party data hosting provider.
Model timeline for reporting and trigger provisions
The second recommendation in the report calls for creating model cyber incident reporting timelines and triggers, or “starting the clock,” for submitting an incident report “wherever practicable.” While CIRCIA creates a reporting timeline of 72 hours, some federal agencies call for shorter or longer timelines.
CIRC suggests that requirements related to national and economic security and safety may require timelines shorter than 72 hours, while agencies with consumer protection and privacy requirements may adopt a more flexible timeline. The timelines for notifying affected individuals, local governments, or the media can extend beyond the requirements to give the entity the ability to determine the full impact of the incident.
Given these considerations, CIRC offers the following model timeline and reporting provisions:
A covered entity that experiences a reportable cyber incident shall submit an initial written report to the required agency or agencies within 72 hours of when the covered entity reasonably believes that a reportable cyber incident has occurred.
Note: For incidents that may disrupt or degrade the delivery of national critical functions or the reporting entity’s ability to deliver vital goods or services to the public, or impact public health or safety, agencies may require covered entities to submit an initial report to the required agenc[ies] within less than 72 hours.
Note: For incidents that involve the loss of personal information without further impact on business operations, agencies may include a timeline longer than 72 hours. Such a requirement should consider the potential national or economic security implications of the loss of personal information and the ability of individuals to mitigate harm from the compromise of their information.
The report also lists a series of other recommendations, including
- Consider whether a delay is warranted: CIRC says agencies should consider delays when a notification poses a significant risk to critical infrastructure, national security, public safety, or an ongoing law enforcement investigation. The delays would apply to the common reporting platform and not notifications to regulators.
- Assess how best to streamline the receipt and sharing of cyber incident reports and information. CIRC recommends that, given how many agencies are receiving incident reports, the government should study how to “deconflict” incident information reported to multiple agencies and avoid problems associated with comparing incident data provided to multiple agencies at different points in time.
- Allow for updates and supplemental reports. Given the fluid and ever-evolving nature of cyber incidents, CIRC recommends that reporting entities should be able to supplement or update their initial report if they discover new, significant information about the incident.
- Create a common terminology. Because there is a lot of variation among agencies in how they refer to incidents and other reports, CIRC suggests that the government adopt common terminology around the use of terms like “Initial Report” and what constitutes an update or supplemental report.
- Improve the process for engaging with reporting entities. Because uncoordinated outreach from multiple federal government agencies could create confusion and burdens among reporting entities, CIRC recommends coordination between SRMAs (sector risk management agencies), regulators, federal law enforcement, and CISA to avoid duplicative or uncoordinated outreach following an incident.
Legislative changes needed
Because some agencies may face legal or statutory obstacles to adopting the model provisions and forms proposed by CIRC, CIRC recommends that Congress remove any legal or statutory barriers to harmonization. Certain agencies have already indicated that they lack sufficient authority to collect all of the recommended data elements in the model form DHS includes in the report, so Congress might need to consider legislation that, for example, “authorizes agencies to align their regulatory requirements to CIRC recommendations notwithstanding other provisions of law.”
Moreover, the agencies may also lack funds to collect the data. CIRC recommends that Congress provides funds to enable them to collect and share common cyber incident data elements that may not otherwise be authorized.
Finally, CIRC recommends that Congress should exempt from disclosure under FOIA or other similar legal mechanisms for cyber incident information reported to the federal government. This recommendation addresses fears among cyber responders about what will happen with the information they report to one or more agencies following a cyber incident, given the delicate nature of managing the incidents and the need to shield potentially damaging information from threat actors.
Reactions and next steps
DHS stresses that CIRC’s recommendations are at the beginning, not the end. CIRC will continue working with agencies and local and foreign governments on how best to adopt the recommendations and identify specific statutory or legal limitations that must be overcome to achieve harmonization.
The initial reaction to the harmonization report appears to be tentatively optimistic. “While we’re still reviewing today’s report, we’re encouraged to see that it produces actionable recommendations for clear, streamlined, and harmonized requirements that can yield better security outcomes while reducing the burden on critical infrastructure partners,” John Miller, senior vice president of policy and general counsel for the Information Technology Industry Council, said in a statement.
However, given the wide-ranging comments submitted to CISA in response to a request for information (RFI) ahead of the agency’s rulemaking on its cyber incident reporting regulations, slated to kick off in March 2024, it’s likely that some of CIRC’s recommendations will receive pushback. Many of the RFI commenters pushed for a narrower definition of a reportable cyber incident and sought to expand the timeframe under which incidents should be reported.