The US Department of National Security (DHS) has proposed to simplify the rules for federal reporting on cyber incidents for affected organizations by creating a single web portal for such reports. This proposal comes as part of efforts to optimize the 52 current or proposed requirements for reporting cyber incidents, in accordance with the law signed in March of last year.
The Cybersecurity and Safety Agency of Infrastructure (CISA) is leading the process of streamlining these regulations, which coincides with their upcoming release of their own rules under the Circia Act.
Recently, Robert Silvers, the DHS policy advisor, presented a 107-page report to Congress on the harmonization of cyber incident reporting to the federal government. The report outlines the collaborative work conducted with 33 federal agencies, including the Departments of Finance, Defense, Justice, Agriculture, and Trade.
Silvers emphasized the importance of optimizing the reporting requirements to ensure that federal agencies receive the necessary information without burdening affected companies excessively.
The report includes several recommendations, such as clarifying the definitions, timeframe, and triggers for reporting cyber incidents to help organizations understand their reporting obligations. It also suggests considering delaying notifications of cyber incidents in cases where wide publicity could jeopardize critical infrastructure, national security, public order, or ongoing law enforcement investigations.
Furthermore, the report proposes the adoption of a standardized reporting form for cyber incidents across agencies, and explores the feasibility of integrating this form into reporting mechanisms, web portals, or other platforms. The creation of a single portal for streamlined reporting and distribution of reports is also recommended, along with updates to existing reports and the development of additional reports to enhance reporting requirements.
Alejandro Mayorkas, the Secretary of the US Department of National Security, emphasized that these recommendations aim to improve understanding of the cyber threat landscape, support victims in recovering from incidents, and prevent future attacks.
The report also outlines the steps that CISA plans to take, including requesting Congress to exclude cyber incident reports from requests under the Freedom of Information Act.
CISA Director Jen Easterly expressed optimism that mandatory reporting will enable the identification of trends and preemptive actions to prevent potential targets from being attacked.