Congress and the White House are drilling down on increased transparency around cyber incidents and cyber incident reporting at federal agencies and private companies as cyberattacks surge.
In a White House memo published last week, OMB Acting Director Shalanda Young outlined a maturity model for federal agencies to track information logs from their IT systems and requirements for information-sharing with the Cybersecurity and Infrastructure Security Agency (CISA) following cyber incidents.
Agencies have two years to reach the highest level of information log maturity, but starting immediately, must begin sharing information logs with CISA following cyber incidents, according to the memo.
“Recent events, including the SolarWinds incident, underscore the importance of increased government visibility before, during, and after a cybersecurity incident,” Young wrote in the memo. “Information from logs on Federal information systems (for both on-premises systems and connections hosted by third parties, such as cloud services providers) is invaluable in the detection, investigation and remediation of cyber threats.”
A new draft bill from the House Homeland Security Committee amends the Homeland Security Act of 2002 to install a Cyber Incident Review Office within CISA.
Most federal agencies and their private-sector partners agree there should be a framework for cyber incident reporting, but some are concerned about legislating a reasonable timeline for reporting incidents to CISA. During a panel hearing with the committee, witnesses from FireEye (the cybersecurity firm that discovered the SolarWinds breach), the Information Technology Industry Council (ITI), USTelecom and the American Gas Association urged Congress to mandate a flexible 72-hour window for reporting.
This time range allows “the operator more time to gather valuable useful information rather than just spitting information to CISA when CISA is going to come back and ask more questions anyway,” said Kimberly Denbow, managing director for security at the American Gas Association. In her prepared testimony, she also argued for prioritizing incident response over compliance.
Heather Hogsett, senior vice president at the Bank Policy Institute, warned against dumping information on CISA for the sake of compliance.
“CISA is deluged with information that's not helpful to them, not useful, and gets bogged down with information that isn't the actual highest threat and risk that we want them and everyone else to focus on," she said at the hearing. “Beyond this scope, setting up a process where there is a regular feedback loop … if we can close that so that CISA has real-time valuable information for them to help them improve their operations, those would be key pieces. The way the bill is drafted allows for that, but your role as you oversee that would be a critical thing we'd highlight.”
CISA also released an insights report for federal agencies with outsourced IT this week, highlighting information-sharing and incident reporting as a key item for federal agencies and private-sector partners to discuss.
Clear expectations around information-sharing and cyber incident reporting should be discussed before signing a contract, CISA said in the report.