Federal vision to streamline cyber incident reporting expected this summer

The Cyber Incident Reporting Council is expected to deliver its report to Congress this summer, a DHS official said Thursday.

The Cyber Incident Reporting Council is expected to deliver its report to Congress this summer, a DHS official said Thursday. K-Kwanchai / GETTY IMAGES

The Cyber Incident Reporting Council will issue a report to Congress "in the next month or two" with recommendations on ways to achieve harmony across a complex network of federal cyber mandates. 

A federal council tasked with harmonizing future cyber incident reporting requirements is set to release proposed recommendations on how to develop an incident-reporting framework across key agencies and regulatory bodies, according to the chair of the council.

Department of Homeland Security Under Secretary for Policy Robert Silvers said the Cyber Incident Reporting Council is expecting to submit its report to Congress "in the next month or two" during a panel discussion Thursday at the Center for Strategic and International Studies, a nonprofit think tank.

The council was established under the Cyber Incident Reporting for Critical Infrastructure Act last year with the goal of minimizing industry burden while ensuring timely awareness of cyber incidents impacting critical infrastructure sectors across all required federal components. 

The group includes representatives from a wide variety of federal agencies, including DHS, the Office of the National Cyber Director, the Departments of Defense, Justice and Commerce, the FBI and more.

The bill also featured new reporting requirements that "fall into a sea of other incident reporting mandates" from federal, state and international regulators, Silvers said. 

"That really can be quite overwhelming for a company that already has a lot going on in the 48 hours after falling victim to a cyber attack," he added. 

The Cybersecurity and Infrastructure Security Agency is currently developing regulations as required under the law for critical infrastructure owners and operators to report cyber incidents within 72 hours and has led a series of listening sessions with sector-specific industries to aid its rule-making process. 

"CISA is considering the inputs received through these consultations as we develop the proposed regulations and look for ways to harmonize CIRCIA’s requirements with other existing cyber incident reporting regulatory requirements,” CISA's Executive Director Brandon Wales wrote in a March blog post reflecting on his agency's implementation of the bill a year after it was signed into law. 

CISA also issued a request for information from key stakeholders on the proposed regulations and said it was specifically interested in "definitions for and interpretations of the terminology to be used in the proposed regulations, as well as the form, manner, content and procedures for submission of reports required under CIRCIA."

Silvers said the council is focusing on industry-centric approaches “so that a victim company has the minimal amount of distraction as it gets to the federal government the information that the federal government needs to protect the nation.”