Mayorkas: Mandatory CISA incident reporting timeframe needs to consider ‘burden’ on critical infrastructure owners

The Cybersecurity and Infrastructure Security Agency is taking a close look at the 72-hour incident reporting clock as it crafts a proposed rulemaking for the mandatory regime recently authorized by Congress, Homeland Security Secretary Alejandro Mayorkas testified in front of a key House committee.

The incident reporting law pertains to critical infrastructure owners and directs CISA to publish a notice of proposed rulemaking within 24 months. The 72-hour clock for a “covered entity” to report an incident starts “not...