New cyber incident reporting rules released

Recently, the Cybersecurity and Information Security Agency (CISA) released a Request for Information (RFI) to inform the agency’s development of new critical infrastructure cyber incident reporting rules enacted by Congress earlier this year.

The Cyber Incident Reporting for Critical Infrastructure Act was approved by Congress in March. The law directs CISA to develop rules requiring covered critical infrastructure owners and operators to report to CISA within 72 hours of a reasonable belief that they have experienced a cyberattack, or within 24 hours of making a cyber ransom payment. Although water systems are not explicitly mentioned in the statute, they could be subject to the reporting requirements depending on how CISA decides to define covered entities.

High Tech, High Stakes: How Vulnerable to Cyberattacks is U.S. Water Infrastructure?

The new RFI specifically seeks stakeholder input to develop definitions for terms such as:

  • Covered entity
  • Covered cyber incident
  • Substantial cyber incident
  • Ransom payment
  • Supply chain compromise

Furthermore, the request for information is seeking details on what constitutes a “reasonable belief” that a covered cyber incident has occurred, how reports on covered cyber incidents and ransom payments should be transmitted to CISA, how the 24-hour post-ransom payment timeframe should be measured, and how third-party entities can be engaged to submit required reports on behalf of covered entities, among other subject areas.

CISA will host a series of listening sessions at locations across the country for interested stakeholders to weigh in on the reporting regime. The listening sessions will help CISA receive public input as the agency develops proposed regulations. Scheduling information is available in the Federal Register notice.


Some information contained in this new update was first reported by the Association of Metropolitan Water Agencies in its Monday Morning Briefing.

Leave a Reply

Your email address will not be published.

*