Congressional Research Service reviews CISA incident reporting notice of proposed rulemaking

A new report from the Congressional Research Service provides an overview of CISA’s notice of proposed rulemaking published on April 4 to establish a mandatory cyber incident reporting regime for critical infrastructure.

Congress directed CISA under the 2022 Cyber Incident Reporting for Critical Infrastructure Act to develop a regime where covered entities would report incidents within 72 hours and 24 hours for a ransom payment. The law gives 18 months following the release of the NPRM to issue a final...