Groups Urge CISA to Develop Simple Mechanism for Cyber Incident Reporting
There are a range of viewpoints on how the Cybersecurity and Infrastructure Security Agency should craft forthcoming cyber incident reporting regulations.
But one common refrain amid the debates over who should be required to report and what exactly constitutes a reportable incident: CISA should develop a simple mechanism that makes it easy for organizations across 16 critical infrastructure sectors to report cyber incidents within the 72-hour window required under the law.
CISA released a request-for-information in September posing a range of policy and practical questions about the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The deadline for responses was Nov. 14. CISA has until March 2024 to issue a notice of proposed rulemaking on the incident reporting regulations.
The Cybersecurity Coalition, a group of firms that counts Cisco, Google and Microsoft among its members, wrote in comments that CISA “should establish a single, secure portal” for entities to report both cyber incidents and ransom payments.
“This portal should be accessible via mobile devices and out-of-band communication channels in the event normal channels are compromised,” the coalition wrote.
The MITRE Corporation made similar comments, pointing out how many organizations use different tools and applications to share information about cyber incidents.
“Especially in the early stages of information reporting, it should be as easy as possible to report information, recognizing that reporting systems may be compromised, and/or some organizations have more limited capabilities to report information,” MITRE wrote. “Capabilities that enable comparative ease of reporting include: the ability to phone directly, a basic web application, and an instant messaging application. Requirements should clarify how these types of capabilities will be provided/accessed.”
USTelecom said its members have expressed concerns about the “substantial resources” they will need to comply with a growing set of cybersecurity regulations.
“It will be essential to streamline the contents of reports as much as possible – by developing a common format – while allowing a variety of flexible reporting mechanisms that could ideally be tailored to the unique needs of organizations,” the trade group wrote in its comments.
Another key question CISA will have to answer in its rulemaking is what type of information organizations will have to report when they experience a cyber incident.
The Municipal Information System Association of California suggested “a simple and secure mechanism” would include logic-prompting follow-up questions “to allow for a balance of simplicity and ensuring the appropriate information is included to match the incident being reported.”
The group suggested the information include the: impacted agency; the date of incident; the date it was discovered; indicators of compromise; the type of data compromised, if applicable; other agencies mandated to receive the report; a description of the incident; steps the organization has taken so far; and security logs.
Several groups suggested CISA develop a web-based form with drop-down menus and pre-populated fields to make incident reporting easy and accessible. One major concern is some organizations, especially smaller ones with limited resources, will be too busy in the throes of responding to a cyber incident to meet incident reporting requirements.
“Having the forms be available and filed through an on-line portal is critical, as well as having mobile versions and an [Application Programming Interface] for machine readable submissions,” the Cyber Threat Alliance wrote. “Many organizations lack access to sophisticated cybersecurity practitioners, and those experiencing a significant cyber incident have limited time and capacity to meet reporting requirements. The government should minimize the burden on covered entities in these situations.”
The Workgroup for Electronic Data Interchange (WEDI), a group focused on data sharing in the healthcare sector, suggested CISA ensure the forms allows users to come back to an initial report to submit additional data as they learn more about cyber incidents.
“Cyber incidents are rarely straightforward, and an entity’s understanding of the incident can evolve as additional information comes to light,” WEDI wrote. “This is even more likely with the expedited timing requirements for the reporting entity. The process should actually encourage reporting entities to revise their earlier reports as they learn additional details regarding the incident.”
WEDI and other groups also emphasized how the reporting portal needs to be secure, as organizations will be sharing potentially sensitive data with CISA in the process of reporting cyber incidents.
“CISA must deploy the appropriate measures to maintain a high level of security for both the data being reported via the web and all data collected,” WEDI wrote. “We recommend CISA include in the reporting instructions and on the web portal/mobile app the steps the agency is taking to ensure the security of the data is maintained and all associated privacy policies and procedures. We also recommend CISA specify how the reported data will be used, who will have access to the information, and how long the information will be retained.”
Meanwhile, the Operational Technology Cybersecurity Coalition said CISA should ensure its reporting mechanism remains “technology- and vendor-neutral” to avoid vendor lock-in.
“Not only do proprietary solutions create vendor lock-in, but they also create barriers that could make it challenging for covered entities to report covered incidents in the timeline provided under CIRCIA,” the group wrote. “Incident reporting to CISA should be as simple as possible and allow covered entities to report incidents efficiently, using any mechanism that is easy for the entity to use and is compliant with CISA’s final approach, without having to purchase or contract for third-party solutions.”