A draft of federal cyber incident reporting rules for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) has been posted in the Federal Register. It’s not exactly light reading, weighing in at a whopping 447-page Notice of Proposed Rulemaking.
The rules will require critical infrastructure entities to notify the federal government of any significant cybersecurity incident, including ransomware attacks, which often go unreported or be referred to more vaguely as “cybersecurity incidents.”
The Cybersecurity and Infrastructure Security Agency (CISA) is scheduled to publish an official version in the Federal Register on April 4. The draft version posted today is considered unpublished.
Once the official version is published, there will be a 60-day window to submit comments or feedback at http://www.regulations.gov. The document number is 2024-06526.