Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis.
When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath.
In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). But because the wheels of government move slowly, it is just now in 2024 that the Cybersecurity and Infrastructure Security Agency (CISA), the agency tasked with overseeing CIRCIA, is completing the mandatory rule requirements so the law can go into effect. On April 4, CISA published a Notice of Proposed Rulemaking (NPRM), which was open for public comment until July 3, with the final rules and regulations coming no later than October 2025.
The goal of CIRCIA is to change the way entities across the critical infrastructure communicate during a cyber crisis and improve overall cyber readiness.
The 72-hour rule
CISA has designated 16 industries as critical infrastructure, which can be found here in detail. However, under CIRCIA, only 13 of the sectors will be required to follow the reporting guidelines (as of this writing, Commercial Facilities, Dam ..
Support the originator by clicking the read the rest link below.
