This passage of cyber incident reporting legislation was quite a surprise for me as I would assume it was always required to inform CISA for incidents. However, this article digs deep into the requirements and reporting schedule as it will become mandatory soon for critical infrastructure companies in specific sectors. To apply the law accurately, CISA also reported 16 US critical infrastructure sectors including communications, manufacturing, defense industrial, emergency services, commercial facilities, chemical, and many more..
The purpose of the law mentioned is to deter organizations from making ransomware payments, provide more intelligence into cyberattack and threat actor plans, to assist in information sharing between federal agencies, to ensure a standardized approach to dealing with critical infrastructure cyber attacks.
As listed on CISA’s website, https://www.cisa.gov/critical-infrastructure-sectors, the reporting must include (1) relevant vulnerabilities, (2) efforts taken to mitigate the attack, (3) categories of data believed to have been accessed or acquired by an authorized person and any actor reasonably believe to responsible for the inside, (4) supplement organizations information as new or different information becomes available.
Article link: https://www.infosecurity-magazine.com/news/us-cyber-incident-reporting/
Miray Bolukbasi
Leave a Reply