The Department of Homeland Security (DHS) is proposing a new model for cyber incident reporting, which aims to overhaul the existing complex patchwork of reporting requirements across the U.S. and make it easier in the long run for organizations to disclose cyberattacks.
The U.S. government has been trying to encourage companies to disclose cyber incidents in an effort to both offer support and resources to victim companies and to collect more valuable incident-related data, which could help the industry better understand the tools and tactics that cybercriminals are using.
But it hasn’t been easy. Companies may be hesitant due to the perceived stigma of being a victim of a breach or cyberattack, but even organizations that want to report an incident face overlapping regulations and disparate complex processes. As part of its report, the DHS assessed 52 in-effect or proposed cyber incident reporting requirements, all with different authoritative agencies and varying requirements about the scope of reporting, timelines to disclosure and even definitions of what a cyber incident actually is. Based on this assessment, the DHS outlined a series of recommendations promoting a more unified and easier process for organizations.
“These recommendations provide a clear path forward for reducing burden on critical infrastructure partners and enabling the federal government to better identify trends in malicious cyber incidents, as well as helping organizations to prevent, respond to, and recover from attacks,” according to the DHS in a Tuesday release.
As part of this, the DHS developed a simple reporting form model to make the process easier for organizations, and a model of a definition for reportable cyber incidents that takes into account factors like a substantial loss of confidentiality, integrity or availability of systems, networks or operational technology, operational disruption, or unauthorized access of non-public personal data. The DHS also created model timelines and triggers for reporting, which give entities a timeframe to “submit an initial written report to the required agency or agencies within 72 hours of when the covered entity reasonably believes that a reportable cyber incident has occurred.”
“These recommendations provide a clear path forward for reducing burden on critical infrastructure partners and enabling the federal government to better identify trends in malicious cyber incidents, as well as helping organizations to prevent, respond to, and recover from attacks.”
One important aspect of these proposed models is the acknowledgement that there’s no one size fits all when it comes to cyber incidents. For instance, the reporting timeframe may be different for agencies with requirements related to national and economic security, said the DHS.
Moving the needle on cyber incident reporting is important, but just as valuable are the backend processes needed for government agencies to receive, analyze and respond to that data. To that end, the federal government needs to better streamline how reported cyber incident reports are processed and shared with relevant reporting entities, according to the DHS. As part of this, the government will need to make potential improvements for existing reporting systems or even create a single portal, the department said.
Finally, the DHS recommended that Congress block any “legal or statutory barriers to harmonization,” in an effort to help agencies overcome budgetary or resource limitations for adopting new cyber incident reporting processes, or to help agencies that may lack the authority needed to collect data elements included in a cyber incident reporting form.
While cyber incident reporting challenges have been on the U.S. government’s radar for years, after the Colonial Pipeline ransomware attack, the Cyber Incident Reporting for Critical Infrastructure Act in 2022 (CIRCIA) brought with it a renewed focus not just on reporting requirements for critical infrastructure sectors (along with liability protections), but also an overall effort by the governments to better improve and standardize federal incident reporting.
CIRCIA instructed the development of the Cyber Incident Reporting Council (CIRC) in leading the charge for developing and implementing the DHS cyber incident reporting recommendations. The next steps here will be the implementation phase, according to the DHS.
“On behalf of the Secretary, the DHS Office of Strategy, Policy, and Plans will coordinate closely with agencies participating in the CIRC to keep Congress apprised of developments in the whole-of-government approach to reduce complexity, diminish regulatory overlap, and eliminate unnecessary duplication with respect to cyber incident reporting,” according to the DHS report.