In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA).
These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must stay up to date on current reporting requirements, update reporting procedures and work to ensure they stay compliant.
Let’s look at the current changes represented under CIRCIA, and how CISOs should expect to adapt.
Other Important Resources to Understand CIRCIA
The first thing to keep in mind is that CIRCIA relies on various definitions and policies found in other resources. Initially, they may be difficult to decipher and may require some mapping and/or cross-referencing. Some of the resources are:
NIST Special Publication 800-145, The NIST Definition of Cloud Computing
The Homeland Security Act of 2002
The President Policy Directive 21
The Cybersecurity Act of 2015.
The law can be found on pages 2,542 to 2,581 of the Consolidated Appropriations Act.
Note: while this piece focuses on U.S.-based organizations, other regions, such as the European Union, are also taking ste ..
Support the originator by clicking the read the rest link below.
