CISA Cybersecurity Rule Faces Pushback – Spiceworks
The CISA’s new proposed rule that makes it mandatory to report cyberattacks to the federal government is facing resistance from multiple sectors. Find out more about the rule and why it is facing pushback.
- A proposed rule requiring organizations to report cybersecurity incidents to the federal government raises concerns.
- Organizations have cited redundancy, administrative burden, implementation difficulties, and lack of clarity as critical problems.
Officials from multiple sectors are urging the US Cybersecurity and Infrastructure Security Agency (CISA) to revise a proposed law requiring organizations to disclose cybersecurity incidents to the federal government. The new rule, which came about due to a 2022 federal law aimed at the security of critical infrastructure, has raised concerns about redundancy, administrative burden, implementation difficulties, and the need for clarity.
If successfully implemented, the law will affect banks, dams, healthcare facilities, power plants, and several government agencies, all of which are required to report suspected breaches within 72 hours. The CISA has been asked to consider making the reporting voluntary, define the types of cyber incidents that could trigger a report, and also limit the types of information requested.
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 requires critical infrastructure entities to report cyber incidents to the CISA. The Act, signed by President Biden, aims to bolster national cybersecurity by facilitating rapid response and information sharing to prevent further incidents.
Under the proposed rule, cyber incidents must be reported within 72 hours, and ransomware payments must be reported within 24 hours. According to the CISA, this move would allow the analysis of trends and allow the regulator to issue timely warnings and recommendations to other potential targets.
See More: Snowflake Implements Mandatory MFA Following Major Data Breach
Criticism of Proposed Law
- Redundancy and burden: Industry groups, including those in healthcare and higher education, have argued that the requirements overlap existing regulations, adding to the complexity of the administrative burden. This is particularly challenging for smaller organizations with limited resources.
- Implementation challenges: Concerns have also been raised about meeting the strict reporting timelines, particularly for complex incidents requiring thorough investigation before reporting. This could lead to incomplete or inaccurate initial reports. A similar challenge is clarifying the reporting requirements for managed service providers, other third-party service providers, and other support entities to relay this information within a stipulated time of discovering a data breach.
- Data privacy and security: Organizations, especially those in Healthcare, are worried about the potential exposure of intellectual property (IP) and/ or sensitive information through mandated reporting. The collected data may not be adequately protected.
- Lack of clarity: Some have pointed out the ambiguity in defining a covered cyber incident, potentially leading to inconsistent reporting and uncertainty.
- Economic impact: Some concern exists about the rule’s economic implications, including the cost of compliance and potential fines for non-compliance, which could be prohibitive for smaller businesses and non-profit entities.
While CIRCIA intends to bolster cybersecurity across critical infrastructure sectors, the proposed rules have sparked significant debate about their practical implications and potential drawbacks. It could simplify the reporting requirements for security architecture and cybersecurity defenses to encourage industry users to respond better to cyber attacks rather than get overwhelmed by the process.
LATEST NEWS STORIES
This post was originally published on 3rd party site mentioned in the title of this site
