CISA crucial in ensuring info sharing success under cyber incident reporting law

Cybersecurity information sharing could reach a breakthrough under the recently passed Cyber Incident Reporting for Critical Infrastructure Act of 2022 but cybersecurity experts noted that its success is hinged on the implementation rules of the Cybersecurity and Information Security Agency, CyberScoop reports. Some industries will be required by the law, which is poised to be effective as late as 2025, to report hacking incidents within 72 hours and disclose ransomware payments within 24 hours, but the extent of information to be required, which is still unknown, is crucial in ensuring timely feedback with the private sector, with American Gas Association Senior Manager for Security Amanda Sramek emphasizing the industry's desire for concise information. CISA would also have to do significant back-end work to properly implement the incident reporting process as it navigates existing federal regulations, said Cyber Threat Alliance President and CEO Michael Daniel. CISA should also have its data processing and analysis examined by Congress, according to Mark Montgomery, senior director at the Foundation for Defense of Democracies' Center on Cyber and Technology Innovation. "We will not be successful if all [CISA does] is write a great set of business rules about how to receive the data," Montgomery added.