CISA launches solicitation for public feedback on incident reporting rule

The Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued its request for public feedback on the organization’s forthcoming cyber incident reporting rules.

The notice was published in the Federal Register today. The comment period will remain open until November 14.

CISA also will hold a series of listening sessions across the country in the coming months to collect additional input, with events slated in cities like Oakland, Boston, Atlanta and Chicago.

CISA Director Jen Easterly last week said the agency would undertake the actions to comply with the cyber incident reporting bill that was signed into law in March. 

“We don’t want to burden industry and we don’t want to burden the federal government with noise either,” she said at the Billington Cybersecurity Summit in Washington.

The measure was viewed as a necessary step by policymakers and senior White House officials alike after a year marked by major hacks, including the SolarWinds breach and the ransomware attacks on the Colonial Pipeline and meat processing giant JBS.

“We can’t defend what we don’t know about and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats,” Easterly said Friday in a statement.

The notice states CISA is :particularly interested in input on definitions for and interpretations of the terminology to be used in the proposed regulations; the form, manner, content, and procedures for submission of reports" required under the law and "information regarding other incident reporting requirements including the requirement to report a description of the vulnerabilities exploited; and other policies and procedures, such as enforcement procedures and information protection policies, that will be required for implementation of the regulations."

The Homeland Security Department is also spearheading the Cyber Incident Reporting Council, which was created by the legislation, and will help inform the new proposed rule, according to CISA.

Senate Intelligence Committee Chair Mark Warner (D-Va.) on Friday said he was "excited" see CISA moving forward with implementing the bipartisan law.

"I encourage stakeholders to participate in this process and look forward to seeing CISA continue to move expeditiously to adopt these vital safeguards," Warner, a former telecommunications executive, said in a statement.