CISA issues notice of proposed rulemaking outlining covered cyber incidents, policies for reporting

The Cybersecurity and Infrastructure Security Agency has issued a highly anticipated notice of proposed rulemaking establishing parameters for its upcoming mandatory incident reporting regime, including proposed definitions for covered cyber incident, reporting timelines and enforcement policies.

“The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), as amended, requires the Cybersecurity and Infrastructure Security Agency (CISA) to promulgate regulations implementing the statute’s covered cyber incident and ransom payment reporting requirements for covered entities. CISA seeks comment on the proposed...