Yesterday, the Federal Register posted for public comment CISA’s Notice of Proposed Rulemaking (NPRM), which the agency was required to develop by the “Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)”. The proposal describes when critical infrastructure organizations will be required to report cybersecurity incidents.

Implementation of CIRCIA is intended to improve CISA’s ability to use cybersecurity incident and ransomware payment information reported to the agency to identify patterns in real-time, fill critical information gaps, rapidly deploy resources to help entities that are suffering from cyber attacks, and inform others who would be potentially affected. When information about cyber incidents is shared quickly, CISA can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information can also help identify trends in an effort to protect the homeland. The NPRM will soon formally publish in the Federal Register, following which the public will have 60 days to submit written comments to inform the direction and substance of the Final Rule.

With the release of the NPRM, CISA Director Jen Easterly said, “CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure.”

Access the full press release here, and for more information about CIRCIA visit cisa.gov/CIRCIA