The Cybersecurity and Infrastructure Security Agency has unveiled a draft cyber incident disclosure rule created under the Cyber Incident Reporting for Critical Infrastructure Act that would mandate organizations part of the 16 designated critical infrastructure sectors to report ransomware incidents and payments within a 72-hour and 24-hour period, respectively, according to CyberScoop.
Information regarding incidents would be leveraged by CISA to facilitate its threat analysis and mitigation and incident response efforts, noted the proposed rule. The rule would also require distributed denial-of-service notifications only in the event of prolonged disruptions. Public comments for the draft rule will be open for two months following its publication on April 4.
Meanwhile, I Am The Cavalry founder and former CISA COVID Task Force Chief Strategist Josh Corman expressed concern for the rule's use of outdated sector-specific and size-based criteria in determining required incident reporting that would be detrimental, particularly to smaller healthcare providers.
