CISA readying info request, listening tour on cyber incident reporting
The Cybersecurity and Infrastructure Security Agency (CISA) is preparing to formally seek input from the public on how to best create an incident reporting regime for attacks on critical infrastructure.
The agency will issue a request for information “in the next couple days” to “help us inform our rule-making process,” CISA Director Jen Easterly said Wednesday during the Billington Cybersecurity Summit in Washington.
CISA will also hold 11 listening sessions around the country to gain additional feedback, she said.
“I’m very excited for that. As you know, I spent over a decade at the National Security Agency so I'm very good at listening,” Easterly joked.
Earlier this year President Joe Biden signed into law a spending bill that included a measure giving CISA up to two years to publish an interim rule detailing how critical infrastructure companies and operators should report breaches, as well as an additional 18 months to issue a final rule.
However, Easterly and other agency officials have said they hope to move much faster than that timetable due to concerns about future hacks.
Easterly said it is “hugely important... to make sure that we are not overly burdening the private sector,” especially private entities that are “under duress if they have been attacked.”
In addition to its work on incident reporting, Easterly said CISA would hold a call later today with the United Kingdom’s National Cyber Security Centre about the recent wave of ransomware attacks that have hit that country.
The agency also will release its first “strategic plan” in the coming days and will co-chair, along with the FBI, the first meeting of federal agencies that are members of a public-private ransomware task force created by the spending bill, she said.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.