DHS Recommends Harmonizing Cyber Incidents Reports When Submitted to the Federal Government

The U.S. Department of Homeland Security (DHS) has submitted a report to Congress including recommendations about cyber
incidents reporting to the Federal government. Reports can be harmonized to better safeguard the critical infrastructure of the nation.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to create the requirements for the new cyber incident reporting. Presently, there’s a patchwork of cyber incident reporting requirements throughout the Federal government and the bigger ecosystem. A number of the reporting requirements are about national security, public safety, or economic security, and a few include investor, consumer, or privacy considerations.

To avert duplication and synchronize the reporting of cyber incidents, CIRCIA created a Cyber Incident Reporting Council (CIRC) to coordinate, de-conflict, and harmonize Federal incident reporting requirements and mandates the Secretary of the DHS to submit a report to Congress that determines duplicative reporting specifications, problems to synchronize, the actions the CISA Director wants to do to enable synchronization and suggested legislative revisions to deal with duplicative reporting.

The report contains a number of suggestions for lowering the present difficulty of submitting cyber incident reports, which includes using

  • a model definition for reportable cyber incidents
  • model timelines for reporting
  • ways to better align the content of cyber incident reports
    to move toward using a model reporting form that all federal agencies can adopt

At this time, there are 52 various cyber incident reporting specifications throughout the federal government that are in effect or are proposed. Various agencies got their own reporting specifications, mechanisms, timelines, and ways for understanding reports, and they usually employ various languages to define security events and have varying reporting thresholds.

Certain reporting entities are under more than one federal institution and need to submit a few reports concerning security events, which could be at a moment when they are dealing with and managing cyber events. For example, certain entities need to submit security incident report to the Federal Trade Commission (FTC) Breach Notification Rule as well as the final rule of the SEC on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, whereas there are 8 federal bureaus that demand the reporting of incidents with a cyber nexus for the financial services industry. In the healthcare industry, incidents may need to be reported to the HHS’ Office for Civil Rights, the Food and Drug Administration, and the FTC. The cyber events that require a number of reports may have resulted in breaches of various types of information in distinct systems, and although they may be categorized as individual data breaches they may all have happened during a similar cyber event. This double security incident reporting puts unneeded complexity.

The DHS has proposed that all federal agencies use a model definition of a reportable cyber event, a proposal for which is contained in the report that was created according to a number of suggested practices that are mandated by federal bureaus for describing a reportable cyber incident. The DHS proposes the use of the model by all federal bureaus, as long as is practicable.

The use of model timelines and triggers was likewise suggested, and the DHS proposed that model language be created for late public notifications concerning cyber incidents, for example, when delays are needed to avert alarming a threat actor about the detection of a breach. The DHS has additionally suggested that federal bureaus examine the probability of leveraging a model form for cyber incident reporting and integrating into the report form common data elements, web portals, and other submission systems to make the reporting process simple for reporting entities.

The DHS likewise proposes improving communication among federal agencies and improving present reporting systems, ideally including one portal for reporting security events. The DHS has likewise asked Congress to give the required funds and authority to federal bureaus to enable them to gather and share common information elements, as existing laws, may not allow the disclosure of all data, and for Congress to take away any legal or statutory hindrances that could stop the use of the proposed model provisions and forms.