DHS publishes recommendations on reporting cyber incidents

The Department of Homeland Security released its report, “Harmonization of Cyber Incident Reporting to the Federal Government, “ on September 19th.

What happened

The report is a direct result of the recently passed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires the development of new cyber incident reporting systems. 

Currently, there are various requirements for reporting cyber incidents across the Federal government. The requirements are, at times, confusing and occasionally even contradictory. 

To help remedy the situation, CIRCIA established the Cyber Incident Reporting Council (CIRC), which will be coordinating and harmonizing federal requirements into a more streamlined system. 

In preparation, CIRC evaluated existing and proposed reporting requirements and developed actionable recommendations for their report. 

Going deeper

The 107-page document provides comprehensive proposals and models for harmonizing reporting requirements. 

The document outlines 8 recommendations for the Federal Government to consider, including: 

1. Adopting a singular model definition of a reportable cyber incident. Currently, multiple different definitions determine what cyber incidents need to be reported. By having a baseline definition, organizations will have a clear understanding of the standards. 
2. Adopting model cyber incident reporting timelines and triggers. This would help organizations better understand when they must file cyber incidents. 
3. Agencies that require entities to provide notification to affected individuals should consider delaying notification if the incident poses a risk to critical infrastructure, national security, public safety, or law enforcement investigations. 
4. Adopting a model reporting form or allowing a singular reporting form to be submitted to multiple agencies. 
5. Conducting an assessment to streamline the receipt and sharing of reports. 
6. Creating reporting systems that allow organizations to provide updates and supplemental reports. 
7. Adopting common terminology regarding reporting. 
8. Improving processes for engaging with entities that are reporting. 

The report also made several legislative recommendations, including that: 

1. Congress should remove any legal barriers to harmonization.
2. Congress should provide authority and funding to Federal agencies to enable them to collect and share common data. 
3. Congress should exempt cyber incident information reported to the government from disclosure (under FOIA).

The report states that these recommendations are meant to be “the beginning, not the end.” They also stated that the “recommendations and proposed legislative changes discussed above present a roadmap to enhance alignment and harmonization of Federal cyber incident reporting requirements.” 

The big picture

As the next step in CIRC’s goals, the council plans to assist in agencies’ efforts to adopt the various recommendations or find ways to make recommendations work for their organization. 

CIRC’s process will continue to progress; over time, we may see changes to reporting cyber security incidents. As the government harmonizes the reporting process, it will hopefully become more streamlined and straightforward for organizations to navigate. 

Related: HIPAA Compliant Email: The Definitive Guide