Cyber Incident Reporting Regulation Takes Shape

Critical infrastructure entities in both public and private sectors are closer to getting a more comprehensive and coordinated approach to cyber incident reporting requirements with a new proposed rule from the Cybersecurity and Infrastructure Security Agency (CISA).

Currently open for public comment through June 3, the rule would require critical infrastructure organizations to report security incidents within 72 hours and ransomware payments within 24 hours. The rule comes amid an environment where agencies face what the Department of Homeland Security deemed “a patchwork of regulations and statutory authorities” that can often be competing or difficult to prioritize.

Federal agency strategies on cyber incident reporting largely have followed frameworks like those in CISA’s Cybersecurity Incident and Vulnerability Response Playbook, which lists these steps:

• Preparation: Prepare for major incidents before they occur to mitigate any impact on the organization.
• Containment: Prevent further damage and reduce the immediate impact of the incident by removing the adversary’s access.
• Education and Recovery: Allow the return of normal operations by eliminating artifacts of the incident and mitigating the vulnerabilities or other conditions that were exploited.
• Post-Incident Activities: Document the incident, inform agency leadership, harden the environment to prevent similar incidents and apply lessons learned to improve the handling of future incidents.
• Coordination: It is critical that the agency experiencing the incident and CISA coordinate early and often throughout the response process. It is also important to understand that some agencies have special authorities, expertise and information that are extremely beneficial during an incident.

CISA’s playbook isn’t the only resource critical infrastructure entities have in informing their reporting approaches. DHS outlines how duplicative and overburdened some of the current processes are in its September 2023 report on harmonizing cyber incident reporting measures.

Some agencies have approached it from a shared-services perspective. For example, the Department of Health and Human Services created a “one-stop cybersecurity shop” in its Administration for Strategic Preparedness and Response (ASPR) to help boost cyber resiliency in the health care sector.

CISA’s upcoming rule when enacted will provide much-needed harmony to these approaches and streamline reporting protocol. For critical infrastructure entities, experts say this harmony will unlock more resources and time to devote to actually addressing a cyber incident.

“It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats,” said CISA Director Jen Easterly in a statement. “We look forward to additional feedback from the critical infrastructure community as we move towards developing the final rule.”

A Peek at GSA’s Cyber Incident Reporting Plan

The General Services Administration aligns its cyber incident response plan to various directives including NIST Guidance 800-61R2, Computer Security Incident Handling Guide and CISA’s playbook, according to GSA Security Operations Center and Incident Response Team Lead Eric Henry.

“GSA uses incident response playbooks and intelligent tooling to facilitate quick response actions,” he told GovCIO Media & Research. “Preparation and lessons learned activities are the bedrock of quality response and continual improvement, both of which serve to provide better and quicker response.”

GSA consolidates its cyber incident functions to feed into a security operations center at the agency.

“It’s organized around the principle of enterprise shared service: ‘One GSA: One Cyber,’ ensuring a common approach including policy, process, team and tooling for incident response. … We ensure all information systems report into the SOC and use intelligent tooling for automated threat detection and focused detection and response,” said Henry. “Further, we have centralized and streamlined incident reporting and provide ongoing security awareness training to our staff focused on detecting and reporting incidents.”

Henry said a coordinated incident response plan is critical for agencies implementing emerging technologies like AI where it could also benefit cybersecurity approaches.

“GSA will invest in research and development to explore the potential benefits of implementing artificial intelligence in incident response, such as predictive analysis, machine learning and automation of certain tasks,” said Henry. “We will also build internal capabilities by training and upskilling employees in the use of artificial intelligence tools and technologies.”

Henry noted GSA’s cyber incident strategy will evolve as the agency learns from industry.

“We plan to collaborate with industry experts and partners to stay informed about the latest technologies and best practices in incident response,” said Henry. “GSA will also conduct regular evaluations and retros of current incident response processes to identify areas for improvement and streamline procedures.”