Three information sharing groups who represent critical infrastructure sectors say CISA needs to consider the potential burden new mandatory incident reporting requirements will put on industry and focus on asking for details that will help companies in return.
The Cyber Incident Reporting for Critical Infrastructure Act, known as “CIRCIA,” directs CISA to establish a mandatory regime where incidents must be reported within 72 hours and 24 hours for ransomware payments. The March law provides 24 months to issue the notice of proposed rulemaking, followed by an additional 18 months for the final rule.
The information sharing and analysis centers for the information technology, health and maritime transportation system sectors each submitted comments on Monday to CISA responding to a request for information.
The IT-ISAC says, “To begin, we would like to emphasize the importance of developing and implementing regulations that do not further strain security resources. Private enterprise operates in an environment of finite resources such as talent and money. Resources that are devoted to ensuring compliance with mandatory reporting requirements are resources that are not available to actively mitigate or respond to an incident.”
The IT sector group focuses its comments on providing input on the definition of a “covered entity” and “covered cyber incident” and the submission process for reports.
“To balance the requirements to report with the need to resolve an incident,” the IT-ISAC says, “the process of submitting reports should be as simple as possible. There should be multiple options for submitting the information such as a secure web interface, secure email, and use of STIX/TAXII and other automation tools.”
“It is important that organizations have the option to automate submissions through an API [application programming interface],” the IT-ISAC writes. “The information required for the incident submission should be detailed enough to provide CISA with situational awareness without providing an undue burden to the submitting organization.”
The MTS-ISAC is composed of “port authorities, terminal operators, vessel operators, logistics operators, cruise lines, energy sector, and other stakeholders associated with maritime transportation,” according to the second group’s submission to CISA.
The transportation sector has several reporting requirements from other agencies including TSA security emergency security directives, the Coast Guard and U.S. Customs and Border Protection.
The MTS-ISAC says, “Our U.S. critical infrastructure stakeholders are regulated facilities under the Maritime Transportation Security Act (MTSA), and as such are required to report activities that may result in a Transportation Security Incident (TSI) – including cyber incidents – to the National Response Center (NRC). The NRC is expected to then notify other relevant agencies, including CISA. Furthermore, multiple states also require cyber incident reporting.”
“In the midst of a cyberattack,” the MTS-ISAC says, “we need critical infrastructure stakeholders focused on effective incident response to hopefully maintain a resilient operating state. We do not need them bleeding their resources dry trying to report to more than a dozen different governmental parties that want the information, especially when they have never clarified how that information will be used to protect critical infrastructure or be shared with other critical infrastructure stakeholders to help prevent additional incidents.”
There are “at least” 18 federal agencies that are involved in the maritime sector, and the MTS-ISAC says, “adding an additional layer of bureaucracy is most unwelcome for our stakeholders and would further impede their ability to respond to a cyberattack, restore critical systems, and return to normal functions.”
The MTS-ISAC says, “This is a disappointing aspect of CIRCIA. It represents a one-way street of additional reporting to the U.S. government with no guarantees or timelines as to when that information will be shared with the U.S. critical infrastructure community. This must be remedied to have a positive effect on critical infrastructure cyber resiliency.”
The Health-ISAC’s comments take a different approach compared to its IT and maritime counterparts by proposing language for key definitions in the upcoming regulation, while also advocating for the H-ISAC to be able to submit incident reports directly to CISA on behalf of covered entities.
“CISA should consider mandatory reporting requirements to be satisfied if those reports are sent by covered entities through their respective critical infrastructure sector ISACs to CISA,” the H-ISAC writes in joint comments with the Health Sector Coordinating Council.
The health groups say, “The ISAC path allows the covered entity to report the required information while doing so without attribution to the specific covered entity if that organization desires such anonymity.”
CISA should delineate the “type of information, general timelines, and methodology” that it will use to share information with ISACs and the covered entities, and the “type of support services that will be available to covered entities after they report a covered incident,” according to the health sector comments.
On bidirectional information sharing, the MTS-ISAC asks CISA to include in the rulemaking a “no greater than 24-hour requirement for the reported threat information related to an incident to be shared back out to the critical infrastructure sectors.”
The MTS-ISAC writes, “This sharing should include via the National Council of ISACs and/or the MTS-ISAC for incidents related to our critical infrastructure sector. This information is vital to be shared to limit the damage done by cyber attacks and improve the overall resiliency of the sector. We need our Federal partners to actively engage and provide two-way communication in order to allow us to prepare for and respond to threats.”
The MTS-ISAC notes that the maritime sector is currently “excluded entirely” from CISA’s Joint Cyber Defense Collaborative.
CISA has touted the JCDC as a model for the agency’s operational collaboration goal. Its initial launch focused on technology companies and has expanded over the past year to include new segments for industrial control systems and the elections sector.
The IT-ISAC wants CISA to work with information sharing and analysis centers to timely share attack tactics, techniques and procedures to assist with industry prevention and detection activities.
The IT-ISAC says CISA should “[e]stablish rules that declare that reporting a cyber incident to the FBI fulfills the victim organization’s reporting requirements and institutes methods for sharing between the FBI and CISA” and also “[l]imit the number of mandatory reporting elements to only what is necessary to achieve program objectives.”
CISA has received a wide range of feedback from stakeholders across critical infrastructure sectors including information technology, communications, banking, pipelines, electric utilities, health and water. The U.S. Chamber of Commerce submitted comments as well as individual companies interested in helping CISA shape the regulation.
Major pipeline associations want ISACs to be a focal point of CISA’s upcoming regime as an avenue to quickly share details back to industry, while comments from banking groups urge CISA to determine a “malicious intent” threshold for reporting. -- Sara Friedman (sfriedman@iwpnews.com)