Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
The United States plans to adopt new standards in the field of cyber reporting.
The US Department of Homeland Security (DHS) has proposed to simplify the rules for federal reporting on cyber incidents for affected organizations, including by creating a single web portal for such reports.
Currently, there are 52 existing or proposed requirements for reporting cyber incidents. In accordance with the law signed in March last year, the Cybersecurity and Infrastructure Security Agency (CISA) is involved in the process of optimizing these regulations. This work comes ahead of the release of the CISA's own CIRCIA rules.
On September 19, DHS Undersecretary for Policy Robert Silvers presented a 107-page report to Congress outlining work with 33 federal agencies to unify reporting on cyber incidents. In addition to DHS, the Ministries of Finance, Defense, Justice, Agriculture, and Commerce participated in the work.
Silvers emphasized the importance of optimizing requirements: "Federal agencies should receive the necessary information without creating an excessive burden on affected companies."
These recommendations include:
Alejandro Mayorkas, the head of the US Department of Homeland Security, stressed that the proposed recommendations can "improve understanding of the cyber threat landscape, help victims recover from failures and prevent future attacks."
The report also outlines steps that CISA plans to take and requests to Congress, including excluding reports from Freedom of Information Act requests.
CISA Director Jen Easterly expressed the hope that mandatory reporting will help to quickly identify trends and warn potential targets before they attack.
The US Department of Homeland Security (DHS) has proposed to simplify the rules for federal reporting on cyber incidents for affected organizations, including by creating a single web portal for such reports.
Currently, there are 52 existing or proposed requirements for reporting cyber incidents. In accordance with the law signed in March last year, the Cybersecurity and Infrastructure Security Agency (CISA) is involved in the process of optimizing these regulations. This work comes ahead of the release of the CISA's own CIRCIA rules.
On September 19, DHS Undersecretary for Policy Robert Silvers presented a 107-page report to Congress outlining work with 33 federal agencies to unify reporting on cyber incidents. In addition to DHS, the Ministries of Finance, Defense, Justice, Agriculture, and Commerce participated in the work.
Silvers emphasized the importance of optimizing requirements: "Federal agencies should receive the necessary information without creating an excessive burden on affected companies."
These recommendations include:
- The Federal Government should clarify the definitions, time frames, and triggers of a cyber incident that can be reported, so that organizations understand whether they need to report something, and at what time.
- Agencies should consider delaying cyber incident notifications if widespread publicity threatens critical infrastructure or national security, public order, or the progress of an ongoing law enforcement investigation.
- The Federal Government should adopt a standard reporting form for cyber incident reporting, and agencies should evaluate whether the cyber incident reporting form can be used or whether the data elements specified in it can be incorporated into reporting forms, web portals, or other reporting mechanisms.
- Agencies and the Federal Government should consider creating a single portal to facilitate the reception and distribution of cyber incident reports.
- Federal requirements for reporting cyber incidents should include updating existing reports and creating additional reports.
Alejandro Mayorkas, the head of the US Department of Homeland Security, stressed that the proposed recommendations can "improve understanding of the cyber threat landscape, help victims recover from failures and prevent future attacks."
The report also outlines steps that CISA plans to take and requests to Congress, including excluding reports from Freedom of Information Act requests.
CISA Director Jen Easterly expressed the hope that mandatory reporting will help to quickly identify trends and warn potential targets before they attack.
