On April 4, the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued a proposed rule on cyber incident reporting. CISA’s proposal includes a reporting framework that would require broad segments of industry to meet reporting requirements following certain cyber incidents, including the 16 Critical Infrastructure Sectors (e.g., Chemical Sector).

Significant elements of the proposal include the following:

  • A broad range of reportable incidents
  • Reporting timelines
  • Form and content requirements
  • Data preservation and recordkeeping requirements
  • Enforcement mechanisms
  • Exceptions to the reporting requirements
  • Company protections

Notably, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law in 2022. CIRCIA requires covered entities to report to CISA within certain prescribed timeframes any covered cyber incidents, ransom payments made in response to a ransomware attack, and any substantial new or different information discovered related to a previously submitted report. CIRCIA also requires CISA to implement these reporting requirements through a formal rulemaking.

CISA will be accepting comments on the proposed rule through June 3, 2024. Additional information on the proposal can be found here.

Contact ACA’s Rhett Cash for more information.