Critical Infrastructure Security, Governance, Risk and Compliance, OT Security

New CISA incident reporting draft rule deemed excessive

CISA's new incident reporting rules

Despite being crucial in bolstering cyber awareness, the Cybersecurity and Infrastructure Security Agency's cyber incident reporting draft rule — which would mandate critical infrastructure entities to make cyber incident and ransomware disclosures within a 72- and 24-hour period, respectively — has been regarded by trade groups and lawmakers to increase burdens not only on smaller organizations but also CISA itself, CyberScoop reports.

More extensive requirements under the draft rule should be harmonized with existing reporting regulations, said groups at a hearing of the House Homeland Security's cybersecurity subcommittee. Such a sentiment has gained the support of Rep. Eric Swalwell, D-Calif., who emphasized the need to ensure that the incident reporting rules do not cover non-relevant small and medium-sized businesses.

On the other, Bank Policy Insititute Senior Vice President of Technology and Risk Strategy Heather Hogsett said that significant report volumes would likely overwhelm CISA, while Edison Electric Institute Senior Vice President of Security and Preparedness Scott Aaronson noted that the recent attack against CISA indicates data security issues faced by the agency.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.