E Point Perfect
Law \ Legal

CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act


On September 12, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a Request for Information, seeking public comment on how to structure implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  Written comments are requested on or before November 14, 2022 and may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.

Overview of CIRCIA.  CIRCIA was signed into law on March 15, 2022 and establishes two cyber incident reporting requirements for covered critical infrastructure entities:

  1. A 24-hour requirement to report any ransomware payments to CISA; and
  2. A 72-hour requirement to report all covered cyber incidents to CISA

These requirements will take effect upon the issuance of implementing regulations from the Director of CISA.  The Act directs CISA to issue a Notice of Proposed Rulemaking (“NPRM”) within 24 months of the date of enactment to implement the Act’s requirements, and to issue a final rule within 18 months of issuing the NPRM.

Request for Information.  CISA is seeking public comment through its Request for Information on potential aspects of the proposed regulation prior to publication of the NPRM.  According to the Request for Information, CISA is particularly interested in public input regarding:

  • Definitions, criteria, and the scope of regulatory coverage, including the scope of covered entities and covered incidents;
  • Report contents and submission procedures, including when timing requirements for various reporting requirements will begin to run;
  • Other incident reporting requirements and security vulnerability information sharing; and
  • Additional policies, procedures, and requirements.

Looking Ahead.  As noted, written comments are requested on or before November 14, 2022. Submissions received after that date may not be considered.  Comments may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov. CISA will also be hosting public listening sessions throughout the comment period as an additional means for interested parties to provide input. 



Source link

Related posts

NIH Confidentiality Certificates Add Layer of Privacy Protection Post-Dobbs

Dawn Zuniga

HHS Proposes Rule Strengthening Section 1557 Protections Against Nondiscrimination in Health Activities

Dawn Zuniga

More people sick in Austrian outbreaks in 2021

Dawn Zuniga

Are More Appraisals Being Challenged By Insurers—Why Go to Appraisal If Insurers Will Not Pay the Appraisal Award?

Dawn Zuniga

Identifier et combattre les « Dark patterns »

Dawn Zuniga

Study highlights French surveillance of Campylobacter

Dawn Zuniga