CISA incident reporting RFI asks for feedback on key definitions, reporting procedures to shape upcoming regulation

Scoping key terms including “covered entity” and “substantial cyber incident” for CISA’s incident reporting regulation are among the important topics in a new CISA request for information published today, along with questions on reporting procedures and liability considerations.

The Cybersecurity and Infrastructure Security Agency is gathering public feedback to inform implementation of the Cyber Incident Reporting for Critical Infrastructure Act, known as “CIRCIA.” The law directs CISA to set up a mandatory regime where critical infrastructure entities will have 72...