Last week, the US Department of Homeland Security (DHS) released a report titled the Harmonization of Cyber Incident Reporting to the Federal Government, that lays out a working template for how the Cybersecurity and Infrastructure Security Agency (CISA) might implement its upcoming cyber incident reporting regulations.
CISA must produce its incident report requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA also required DHS to issue this report to address potential duplication of cyber incident reporting requirements, the challenges of harmonizing these requirements, the steps DHS could take to facilitate this harmonization, and proposed legislation that might be needed to address duplicative requirements.
Under CIRCIA, Congress established a Cyber Incident Reporting Council (CIRC) to “coordinate, deconflict, and harmonize federal incident reporting requirements, including those issued through regulation.” CIRC and 33 government agencies investigated the duplication and harmonization issues and issued a series of recommendations on how best to harmonize the various cyber incident report activities spread across the federal government.
A welter of agency requirements
CIRC discovered fifty-two in-effect or proposed federal cyber incident reporting requirements that serve as the basis for the model for reportable cyber incidents spelled out in the report. Forty-five of those are in effect and administered by 22 federal agencies.
Twenty-five requirements relate to national security, economic security, or public safety. Thirteen focus on privacy or consumer or investor protection, with six serving purposes in both categories. The methods for collecting incident reports vary widely across all these regimes, designed for different purposes but require duplicative information.
One common platform for them all
The task of DHS was to find a way to harmonize all these requirements so that CISA’s regulations imposed the least amount of duplication while still allowing the existing sector-specific reporting requirements to include information tailored to their varying purposes.
To that end, CIRC recommends that the federal government create a common reporting platform and intra-government information-sharing platform to alleviate duplicative reporting, with clear definitions and consistent terminology across reporting regimes, allowing additional information in supplement reports. In an appendix to the report, DHS presents a model common platform that it thinks fits the bill.
The following summarizes the report’s key recommendations, highlights some challenges in adopting this customizable uniform reporting mechanism, and outlines legislative actions needed to create the common platforms.
Model definition of a reportable cyber incident
The first recommendation in the report calls for a model definition of a reportable cyber incident
“wherever practicable” that draws on the commonalities in the existing reporting requirements. To encourage timely reporting and assuage concerns that organizations must gather all relevant information before submitting a report, CIRC suggests the definition should also include language that a cyber incident that is still under investigation be reportable.
CIRC recommends that a reportable cyber incident should explicitly exclude lawful US government activities such as those undertaken under a warrant or other judicial process. Moreover, CIRC recommends that the definition exclude “data breach incidents when potentially compromised data is adequately encrypted or disassociated so that the information cannot be used, and such encryption or data disassociation has not been compromised.”
CIRC also recommends that reportable incidents should exclude situations where a ransomware extortion threat exists, although it’s unclear what this means. (CISA did not respond to a request for clarification about this exclusion). Under CIRCIA, ransomware victims must separately report ransoms to CISA within 24 hours of payment.
Definitions of a reportable incident
Finally, the definition excludes good faith research carried out by any reporting entity. With these exclusions, CIRC offers the following definition of what is a reportable incident:
A reportable cyber incident is a cyber incident that leads to, or, if still under the covered entity’s investigation, could reasonably lead to any of the following:
1) a substantial loss of confidentiality, integrity, or availability of a covered information system, network, or operational technology;
(2) a disruption or significant adverse impact on the covered entity’s ability to engage in business operations or deliver goods, or services, including those that have a potential for significant impact on public health or safety or may cause serious injury or death;
(3) disclosure or unauthorized access directly or indirectly to non-public personal information of a significant number of individuals; or
(4) potential operational disruption to other critical infrastructure systems or assets.
The term “reportable cyber incident” includes, but is not limited to, indications of compromises of information systems, networks, or operational technologies of customers or other third parties as well as a business or operational disruption caused by a compromise of a cloud service provider, managed service provider, or other third party data hosting provider.
Model timeline for reporting and trigger provisions
The second recommendation in the report calls for creating model cyber incident reporting timelines and triggers, or “starting the clock,” for submitting an incident report “wherever practicable.” While CIRCIA creates a reporting timeline of 72 hours, some federal agencies call for shorter or longer timelines.
CIRC suggests that requirements related to national and economic security and safety may require timelines shorter than 72 hours, while agencies with consumer protection and privacy requirements may adopt a more flexible timeline. The timelines for notifying affected individuals, local governments, or the media can extend beyond the requirements to give the entity the ability to determine the full impact of the incident.
Given these considerations, CIRC offers the following model timeline and reporting provisions:
A covered entity that experiences a reportable cyber incident shall submit an initial written report to the required agency or agencies within 72 hours of when the covered entity reasonably believes that a reportable cyber incident has occurred.
Note: For incidents that may disrupt or degrade the delivery of national critical functions or the reporting entity’s ability to deliver vital goods or services to the public, or impact public health or safety, agencies may require covered entities to submit an initial report to the required agenc[ies] within less than 72 hours.
Note: For incidents that involve the loss of personal information without further impact on business operations, agencies may include a timeline longer than 72 hours. Such a requirement should consider the potential national or economic security implications of the loss of personal information and the ability of individuals to mitigate harm from the compromise of their information.
Other recommendations
The report also lists a series of other recommendations, including
- Consider whether a delay is warranted: CIRC says agencies should consider delays when a notification poses a significant risk to critical infrastructure, national security, public safety, or an ongoing law enforcement investigation. The delays would apply to the common reporting platform and not notifications to regulators.
- Assess how best to streamline the receipt and sharing of cyber incident reports and information. CIRC recommends that, given how many agencies are receiving incident reports, the government should study how to “deconflict” incident information reported to multiple agencies and avoid problems associated with comparing incident data provided to multiple agencies at different points in time.
- Allow for updates and supplemental reports. Given the fluid and ever-evolving nature of cyber incidents, CIRC recommends that reporting entities should be able to supplement or update their initial report if they discover new, significant information about the incident.
- Create a common terminology. Because there is a lot of variation among agencies in how they refer to incidents and other reports, CIRC suggests that the government adopt common terminology around the use of terms like “Initial Report” and what constitutes an update or supplemental report.
- Improve the process for engaging with reporting entities. Because uncoordinated outreach from multiple federal government agencies could create confusion and burdens among reporting entities, CIRC recommends coordination between SRMAs (sector risk management agencies), regulators, federal law enforcement, and CISA to avoid duplicative or uncoordinated outreach following an incident.
Legislative changes needed
Because some agencies may face legal or statutory obstacles to adopting the model provisions and forms proposed by CIRC, CIRC recommends that Congress remove any legal or statutory barriers to harmonization. Certain agencies have already indicated that they lack sufficient authority to collect all of the recommended data elements in the model form DHS includes in the report, so Congress might need to consider legislation that, for example, “authorizes agencies to align their regulatory requirements to CIRC recommendations notwithstanding other provisions of law.”
Moreover, the agencies may also lack funds to collect the data. CIRC recommends that Congress provides funds to enable them to collect and share common cyber incident data elements that may not otherwise be authorized.
Finally, CIRC recommends that Congress should exempt from disclosure under FOIA or other similar legal mechanisms for cyber incident information reported to the federal government. This recommendation addresses fears among cyber responders about what will happen with the information they report to one or more agencies following a cyber incident, given the delicate nature of managing the incidents and the need to shield potentially damaging information from threat actors.
Reactions and next steps
DHS stresses that CIRC’s recommendations are at the beginning, not the end. CIRC will continue working with agencies and local and foreign governments on how best to adopt the recommendations and identify specific statutory or legal limitations that must be overcome to achieve harmonization.
The initial reaction to the harmonization report appears to be tentatively optimistic. “While we’re still reviewing today’s report, we’re encouraged to see that it produces actionable recommendations for clear, streamlined, and harmonized requirements that can yield better security outcomes while reducing the burden on critical infrastructure partners,” John Miller, senior vice president of policy and general counsel for the Information Technology Industry Council, said in a statement.
However, given the wide-ranging comments submitted to CISA in response to a request for information (RFI) ahead of the agency’s rulemaking on its cyber incident reporting regulations, slated to kick off in March 2024, it’s likely that some of CIRC’s recommendations will receive pushback. Many of the RFI commenters pushed for a narrower definition of a reportable cyber incident and sought to expand the timeframe under which incidents should be reported.