CISA Requests Input on Terms Already Defined by Incident Reporting Law

Kosamtu/Getty Images

The agency is embarking on a rulemaking process to implement the law, which requires those who make ransomware payments to report them to the government. 

The Cybersecurity and Infrastructure Security Agency is casting the widest net possible to get feedback for its implementation of the Cyber Incident Reporting for Critical Infrastructure Act, asking stakeholders to opine on the most basic of terms used in the legislation.

In a request for information published in the Federal Register Monday, CISA announced a series of listening sessions it plans to hold around the country through mid November to inform a rule it must issue to enforce the law, which Congress passed in March following several high-profile cybersecurity breaches at critical-infrastructure providers. 

Among those was the attack on Colonial Pipeline, which the company paid a multimillion dollar ransom to defuse. In addition to reporting “covered cyber incidents” to CISA within at least 72 hours, the law required “covered entities” to report any “ransom payments” to the agency within 24 hours.  

Within those and other criteria, the law leaves it up to CISA to define what counts as a “covered entity” and a “covered cybersecurity incident” in the coming rule. 

“The term 'covered cyber incident' means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the [CISA] director in the final rule,” it reads, for example.

To that end, CISA’s RFI asks respondents to address, among other things, “the meaning of ‘substantial cyber incident.’” Government and industry officials have noted the potential for improper scoping of the rule to lead to unhelpful “noise,” given the frequency with which adversaries are constantly trying to penetrate critical infrastructure, with varying levels of success. That would be unnecessarily burdensome to both industry and government officials fielding reports to the agency, CISA Director Jen Easterly regularly notes. 

But the RFI also asks for feedback on the meaning of the terms “ransom payment,” and “ransomware attack,” both of which are already fully defined by the legislation, along with “supply chain compromise.” 

CISA also asks for input on “the criteria for determining if an entity is a multi-stakeholder organization that develops, implements and enforces policies concerning the Domain Name System.” The law notes that it shouldn’t be enforced against organizations such as the Internet Corporation for Assigned Names and Numbers or the Internet Assigned Numbers Authority.

In addition to public input, CISA’s rulemaking must also be informed by other federal agencies, a number of which may have conflicting requirements for entities under their specific jurisdictions to report qualifying cybersecurity incidents. 

CISA is also planning a listening session in Washington D.C. as well as sector-specific listening sessions. But details for those sessions have not yet been determined, according to the Federal Register notice. In a press release Friday, the agency said it will also accept written comments on the rulemaking over the next 60 days.