“Speaking on June 1 at a cybersecurity conference organized by Boston College, CISA Executive Director Brandon Wales ran down the lengthy timeline for an incident reporting rulemaking as spelled out in the Cyber Incident Reporting for Critical Infrastructure Act approved by Congress earlier this year as part of full-year FY2022 spending legislation.
The legislation – once implemented by a rulemaking from CISA – will obligate critical infrastructure owners and operators to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments they made to attackers within 24 hours…
‘There will be a number of opportunities for the private sector to provide feedback,’ Wales said. ‘People will start hearing from us extremely quickly on ways that we will be soliciting industry input,’ he pledged.
‘There are some big questions we have to answer’ in the rulemaking, he continued. These include what entities are covered by the law, what are the precise trigger thresholds for reporting, and what kind of information will be required to be reported…” Read the full article here.
Source: CISA’s Wales Sees ‘Aggressive’ Pace on Incident Reporting Rule – By John Curran, June 1, 2022. MeriTalk.