Skip to main content
close search
site logo
Dive Brief

CISA director: Critical infrastructure cyber incident reporting rules almost ready

The Cybersecurity and Infrastructure Security Agency is in the final stages of work on the reporting requirements included in a March 2022 law.

Published Sept. 8, 2023
David Jones's headshot
Reporter
Jen Easterly speaks during a fireside chat at the Billington Cybersecurity Summit.
Jen Easterly speaks during a fireside chat at the Billington Cybersecurity Summit. Courtesy of Billington

Dive Brief:

  • Final work is underway for the Cyber Incident Reporting for Critical Infrastructure Act, which Cybersecurity and Infrastructure Security Agency Director Jen Easterly expects to be done by the end of this year or early 2024 at the latest, she said Wednesday at the Billington Cybersecurity Summit. The act, signed in March 2022, requires critical infrastructure providers to report major cyber incidents and ransomware payments to the agency.
  • “But until we have that in place, we need to make sure we are communicating around threats, realizing that a threat to one is a threat to many,” Easterly said. 
  • Easterly said the agency has made significant progress in building a collaborative model for sharing intelligence and gaining visibility into threats facing the nation, but said more work still needs to be done.

Dive Insight:

Easterly discussed the evolution CISA has made in expanding partnerships, sharing threat information and gaining real-time intelligence in order to help disrupt threats. 

The agency has forged significant relationships with various organizations to gain a foothold against malicious cyber activity over the past two years. 

In July, CISA partnered with Microsoft to gain enhanced visibility into security logs, after suspected China-based hackers gained access to sensitive emails in the U.S. State Department and Department of Commerce. Federal officials, including Sen. Ron Wyden, D-Oregon, heaped withering criticism against the company for its security policies.

CISA has been behind a concerted effort to make sure cloud providers and other technology companies infuse security into their platforms without requiring customers to pay an extra premium.

Earlier this year, CISA launched a pilot program to warn critical infrastructure providers about looming ransomware attacks. The Joint Ransomware Task Force is running the program, which involves warning organizations about internet-accessible vulnerabilities that have been linked to specific ransomware groups. 

Easterly called on corporate boards and C-suite executives to take ownership over cybersecurity, warning that responsibility for cyber risk cannot be just handed off to CISOs and ignored by senior leadership. 

Governance and risk concerns have taken on heightened importance in recent weeks after the Securities and Exchange Commission voted to require disclosure of material incidents within four business days and annual reporting on corporate risk mitigation strategies.

Editors' picks

Company Announcements

View all | Post a press release
Mystic Valley Elder Services Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
CUSO Financial Services, LP Data Breach Investigation
From Migliaccio & Rathod LLP
October 31, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell