Rick Driggers, critical infrastructure cyber lead at Accenture Federal Services, has shared his thoughts on the recent Cyber Incident Reporting for Critical Infrastructure Act.
Signed into law by President Joe Biden on March 15, the Cyber Incident Reporting for Critical Infrastructure Act mandates that individuals and businesses running technological enterprises must give notice of cyber breaches or suspected malpractice to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency within 72 hours of identifying the issue.”
Driggers, who formerly worked as assistant director integrated operations at CISA, expressed the law is “unprecedented” in the cyber community but nonetheless says public and private sector organizations uniformly believe it to be a “necessary step forward.”
“With this mandatory reporting, CISA will work across federal agencies and the private sector to develop detection and mitigation strategies to share more broadly across the critical infrastructure community to address vulnerabilities being exploited and to promote collective defense,” Driggers explained.
The law also states that impacted organizations must give notice of any ransomware transactions within 24 hours of payment made to extortionists. It has been left up to CISA to provide exact definitions of what type of entities are covered in the legislature and what constitutes a cyberattack.
“If implemented correctly, it is light touch regulation and a welcome step forward,” Driggers concluded.