DHS floats idea of single cyber incident reporting portal

The Department of Homeland Security (DHS) suggested several new ideas for how to make federal cyber incident reporting rules simpler for victim organizations — including the concept of a single reporting web portal.

There are currently 52 in-effect or proposed federal cyber incident reporting requirements. As part of the cyber incident reporting bill that was signed into law last March, the Cybersecurity and Infrastructure Security Agency (CISA) was tasked with examining and streamlining the regulations.

The effort is being coordinated in advance of the release of CISA’s own rules that will make up the Cyber Incident Reporting for Critical Infrastructure Act — which CISA officials refer to by its acronym CIRCIA.

On Tuesday, DHS Undersecretary for Policy Robert Silvers delivered a 107-page report to Congress outlining its work with 33 federal agencies to harmonize cyber incident reporting. In addition to DHS, the Treasury, Defense, Justice, Agriculture and Commerce departments were involved in the effort alongside several regulatory agencies like the Securities and Exchange Commission, the Federal Trade Commission and the Federal Communications Commission.

“To develop these recommendations, the Cyber Incident Reporting Council analyzed over 50 different federal cyber incident reporting requirements and engaged with numerous industry and private sector stakeholders,” Silvers said. “It is imperative that we streamline these requirements. Federal agencies should be able to receive the information they need without creating duplicative burdens on victim companies that need to focus on responding to incidents and taking care of their customers.”

The recommendations say:

• The federal government should clarify definitions, timelines and triggers of a reportable cyber incident so that organizations understand if and when they need to report something.
• Agencies with requirements for covered entities to provide notifications to affected individuals or the public should consider whether a delay is warranted when such notification poses a significant risk to critical infrastructure, national security, public safety, or an ongoing law enforcement investigation.
• The Federal Government should adopt a model reporting form for cyber incident reports and agencies should evaluate the feasibility of leveraging the form for cyber incident reporting or incorporate the data elements identified therein into reporting forms, web portals, or other submission mechanisms.
• Agencies and the federal government should consider the potential creation of a single portal as a way to streamline the receipt and sharing of cyber incident reports and cyber incident information.
• Federal cyber incident reporting requirements should allow for updates and supplemental reports.

Other recommendations include adopting common incident terminology and improving inter-agency coordination.

“In the critical period immediately following a cyberattack, our private sector partners need clear, consistent information-sharing guidelines to help us quickly mitigate the adverse impacts,” said Secretary of Homeland Security Alejandro Mayorkas.

“The recommendations that DHS is issuing today provide needed clarity for our partners. They streamline and harmonize reporting requirements for critical infrastructure, including by clearly defining a reportable cyber incident, establishing the timeline for reporting, and adopting a model incident reporting form.”

Mayorkas added that the recommendations can “improve our understanding of the cyber threat landscape, help victims recover from disruptions, and prevent future attacks.”

The report outlines steps CISA plans to take to harmonize all of the rules and also provides three tasks to Congress that would help the process – including the removal of legal or statutory barriers to harmonization as well as authority and funding for the efforts.

The report also asks Congress to exempt the incident reports from Freedom of Information Act requests that would make the reports public.

In a statement, CISA Director Jen Easterly reiterated her hope that mandated incident reporting will help defenders spot trends in real-time, rapidly render assistance to victims, and share information to warn other potential targets before they become victims.

“We also recognize that the need for this information must be balanced with the burdens placed on industry, ensuring that requirements are harmonized and streamlined as effectively as possible,” she said.

“As the Cybersecurity and Critical Infrastructure Agency (CISA) implements reporting requirements as part of the Cyber Incident Reporting for Critical Infrastructure Act, these recommendations – along with the extensive input from stakeholders submitted as part of our rulemaking process – will help inform our proposed rule.”