New CISA Cybersecurity Reporting Rule Summary:
- Goal: Quick sharing of incident info to assist affected entities, warn others, and identify trends for homeland protection.
- Date Announced: March 27
- Requirement: Critical infrastructure companies must report cyberattacks within 72 hours and ransom payments within 24 hours.
- Scope: Applies to all critical infrastructure sectors except small businesses, including food and agriculture.
- Proposal Details: 447 pages, defines reporting criteria for different sectors. Acknowledges NGFA’s 2022 recommendations to exclude small companies.
- Estimated Impact: Affects approximately 316,000 entities, with an expected 25,000+ reports annually starting in 2026.
- Cost: Projected at $2.6 billion over 11 years.
- Legislative Background: Follows the Cyber Incident Reporting for Critical Infrastructure Act signed into law by President Joe Biden in March 2022.
- Next Steps: After Federal Register publication on April 4, CISA will accept public comments for 60 days.
How will the new mandates impact cybersecurity strategies for critical infrastructures?