CISA outlines triggers for reporting cyber incidents in proposed rulemaking

The Cybersecurity and Infrastructure Security Agency goes into detail on the triggers for reporting cyber incidents, including “reasonable belief,” and the need for supplemental reports, in a notice of proposed rulemaking posted Wednesday to implement a major incident reporting law.

The NPRM follows the timeframe requirement in the 2022 Cyber Incident Reporting for Critical Infrastructure Act of 72 hours for covered entities to report incidents to the agency, while laying out parameters on “reasonable belief” for when the clock should...