The Cybersecurity and Infrastructure Security Agency posted a long-anticipated notice of proposed rulemaking Wednesday for the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The rule would require covered entities to promptly report cyber disruptions and ransomware payments.
CIRCIA requires covered entities to report significant cyber incidents within 72 hours of discovery. Critical infrastructure entities will also have to report ransom payments within 24 hours.
The proposed rule is designed to help federal authorities better coordinate critical infrastructure threat responses and share vital details with industry and government partners.
“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” CISA Director Jen Easterly said in the Wednesday announcement. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”
CISA estimates the cost of the proposed rule will be $2.6 billion over the period of analysis and estimates more than 316,000 entities will potentially be affected by the rule.
The U.S. has previously designated 16 critical infrastructure sectors, however analysts warn there will likely be further debate about which entities will be fully required to comply under the new rule.
UnitedHealth Group, which was central to the recent cyberattack at Change, would be considered a critical infrastructure provider under the current definitions, according to Katell Thielemann, Distinguished VP analyst at Gartner.
“But it’s not clear whether claims processor Change Healthcare, which has brought almost the entire healthcare sector down due to their recent attack, would be under the current framework,” Thielemann said.
The Department of Homeland Security, which CISA is a part of, posted the unpublished notice Wednesday on the Federal Register site for public inspection. The notice will be formally published on April 4 and a 60 day comment period will follow to get written responses from the public.
This post was originally published on the 3rd party site mentioned in the title of this this site