DHS Makes Recommendations to Harmonize Reporting of Cyber Incidents to the Federal Government
The U.S. Department of Homeland Security (DHS) has issued a report to Congress that includes recommendations on how the reporting of cyber incidents to the Federal government can be harmonized to better protect the nation’s critical infrastructure.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) directs the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to develop new cyber incident reporting requirements. Currently, there is a patchwork of cyber incident reporting requirements across the Federal government and the larger ecosystem. Some of the reporting requirements are focused on national security, others on economic security or public safety, and some have consumer, investor, or privacy considerations.
To avoid duplication and harmonize cyber incident reporting, CIRCIA established a Cyber Incident Reporting Council (CIRC) which was tasked with coordinating, deconflicting, and harmonizing Federal incident reporting requirements and calls for the Secretary of the DHS to provide a report to Congress that identifies duplicative reporting requirements, challenges to harmonization, the actions the CISA Director intends to take to facilitate harmonization, and proposed legislative changes to address duplicative reporting.
The report includes several recommendations for reducing the current complexity of reporting cyber incidents, including the adoption of a model definition for reportable cyber incidents, model timelines for reporting, and ways that the content of cyber incident reports can be better aligned to move toward the use of a model reporting form that all federal agencies can adopt. Currently, there are 52 different cyber incident reporting requirements across the federal government that are either currently in effect or have been proposed. Different agencies have their own reporting requirements, mechanisms, timelines, and methods for ingesting reports, and they often use different language to define security incidents and have different reporting thresholds.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Some reporting entities are regulated by more than one federal agency and are required to send multiple reports about security incidents, which may be at a time when they are responding to and managing cyber incidents. For instance, some entities are required to report security incidents under the Federal Trade Commission (FTC) Breach Notification Rule and the SEC’s final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, while there are eight federal agencies that require the reporting of incidents that have a cyber nexus for the financial services sector. In healthcare, incidents may need to be reported to the HHS’ Office for Civil Rights, the FTC, and the Food and Drug Administration. The incidents that require multiple reports may involve breaches of different types of data in separate systems, and while they may be classed as separate data breaches they may all have occurred in the same cyber incident. This duplication in security incident reporting adds unnecessary complexity.
The DHS has recommended that all federal agencies adopt a model definition of a reportable cyber incident, a proposal for which is included in the report that was developed based on several recommended practices that are required by federal agencies for defining a reportable cyber incident. The DHS recommends the model be adopted by all federal agencies, as far as is practicable. The adoption of model timelines and triggers has also been proposed, and the DHS recommends that model language be developed for delaying public notifications about cyber incidents, such as when delays are necessary to avoid alerting a threat actor that a breach has been detected. The DHS has also recommended that federal agencies evaluate the feasibility of leveraging a model form for reporting cyber incidents and incorporating common data elements into their reporting forms, web portals, and other submission mechanisms to simplify the reporting process for reporting entities.
The DHS also recommends enhancing communication between federal agencies and making improvements to current reporting mechanisms, ideally involving a single portal for reporting security incidents. The DHS has also requested Congress provide the necessary funding and authority to federal agencies to allow them to collect and share common data elements, as existing legislation may not authorize the sharing of all information, and for Congress to remove any legal or statutory barriers that could prevent the adoption of the suggested model provisions and forms.
