Getty Images/iStockphoto
DHS Tackles Cyber Incident Reporting Inconsistencies With Report to Congress
DHS encouraged Congress to consider model definitions and timelines for reportable cyber incidents to help streamline critical infrastructure incident reporting processes.
The Department of Homeland Security (DHS) issued recommendations to Congress about how the federal government could improve critical infrastructure cyber incident reporting in a new report. Notable recommendations include streamlining the reporting process by establishing a single reporting web portal, as well as creating a model incident report form that federal agencies can adopt.
The report, aptly titled “Harmonization of Cyber Incident Reporting to the Federal Government,” was a deliverable required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), signed into law in March of last year. CIRCIA enabled the creation of the Cyber Incident Reporting Council (CIRC), which took the lead on the report and represents leaders from 33 federal agencies.
The report acknowledged ongoing challenges that stem from duplicative federal cyber incident reporting requirements. Currently, there are 52 cyber incident reporting requirements either in effect or proposed across the federal government.
“Agencies with cyber incident reporting requirements typically have their own reporting mechanisms and methods for ingesting reports. As a result, reporting entities that are regulated by more than one agency are required to submit multiple reports while potentially managing and responding to an incident and its immediate impact,” the report noted.
What’s more, many critical infrastructure sectors must comply with cross-sector disclosure rules that add another layer of reporting complexity. The report pointed to the Federal Trade Commission’s (FTC) Health Breach Notification Rule and the Securities and Exchange Commission’s (SEC) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure as examples of this phenomenon.
DHS pointed to differences in definitions, reporting mechanisms, timelines, and report content as top challenges to the harmonization of incident reporting requirements.
“Existing regulatory frameworks have employed different language to define reportable cyber incidents or otherwise describe the threshold of what is reportable,” the report noted. “Existing definitions and thresholds and those proposed in forthcoming regulatory frameworks will need to be considered as part of future harmonization efforts.”
These inconsistencies have exacerbated ongoing reporting complexities, DHS suggested. To solve these problems, DHS first recommended that the federal government “adopt a model definition of a reportable cyber incident wherever practicable.”
CIRC developed a model definition that incorporates elements of existing definitions and could be customized by federal agencies to fit sector-specific guidelines:
A reportable cyber incident is a cyber incident that leads to, or, if still under the covered entity’s investigation, could reasonably lead to any of the following:
(1) a substantial loss of confidentiality, integrity, or availability of a covered information system, network, or operational technology;
(2) a disruption or significant adverse impact on the covered entity’s ability to engage in business operations or deliver goods, or services, including those that have a potential for significant impact on public health or safety or may cause serious injury or death;
(3) disclosure or unauthorized access directly or indirectly to non-public personal information of a significant number of individuals; or
(4) potential operational disruption to other critical infrastructure systems or assets. The term “reportable cyber incident” includes, but is not limited to, indications of compromises of information systems, networks, or operational technologies of customers or other third parties as well as a business or operational disruption caused by a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider.
The term “reportable cyber incident” does not include: (i) any lawfully authorized activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States, including activities undertaken pursuant to a warrant or other judicial process; (ii) any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system; or (iii) the threat of disruption as extortion, as described in CIRCIA section 2240(14)(A).
In addition to a streamlined definition of a reportable cyber incident, DHS recommended that the federal government adopt model cyber incident reporting timelines and triggers. The report also suggested developing model language for delaying public notification of a cyber incident, especially for instances where premature notification may tip off threat actors.
Other recommendations included enhanced communication between federal agencies and improvements to existing reporting mechanisms.
To make these recommendations a reality, DHS urged Congress to remove any legal or statutory barriers to the harmonization of incident reporting mentioned in the report.
“To address these barriers or other barriers that may prevent adoption by certain agencies of model provisions or forms developed by the CIRC, Congress may consider legislation, for example, that authorizes agencies to align their regulatory requirements to CIRC recommendations notwithstanding other provisions of law,” the report noted. “Such an authorization will permit Federal agencies to assess any statutory, legal, or policy challenges to adopting the recommendations for harmonization.”
DHS also encouraged Congress to provide funding and authority to federal agencies to further enable them to collect and share common cyber incident data elements that might otherwise not be authorized.
DHS and CIRC made it clear that these recommendations are just the start of this joint effort to streamline reporting requirements. Next steps will include collecting stakeholder feedback and evolving as a result.
“The recommendations that DHS is issuing today provide needed clarity for our partners. They streamline and harmonize reporting requirements for critical infrastructure, including by clearly defining a reportable cyber incident, establishing the timeline for reporting, and adopting a model incident reporting form,” Secretary of Homeland Security Alejandro N. Mayorkas said in a press release accompanying the report.
“These recommendations can improve our understanding of the cyber threat landscape, help victims recover from disruptions, and prevent future attacks. I look forward to working with Congress and partners across every level of government and the private sector to implement these recommendations and strengthen the resilience of communities across the country.”