The Cybersecurity and Infrastructure Security Agency is set to become a “regulatory enforcer” after receiving legal authority to require cybersecurity incident reports from critical infrastructure entities, a former agency leader told Federal News Network Friday.
Taytana Bolton, CISA’s cyber policy lead from 2017 to 2020, explained that the new reporting rule will push the agency to depart from its previous practice of simply asking for cyber information from its industry partners.
Under an omnibus spending bill signed into law in early March, CISA has 36 months to finalize regulations that would mandate companies to report cyber incidents within three days and disclose ransomware payments within 24 hours
“I think you’ll see a bit of a shift in terms of the way that industry sees CISA and its power and authority,” explained Bolton, policy director for cybersecurity and emerging threats at the R Street Institute.
She suggested the agency take inspiration from the Federal Aviation Administration’s system for accepting confidential cyber reports and sharing related information to the aviation industry, pointing out that such a model focuses less on blaming victim companies and more on collecting data for cybersecurity.
CISA is currently required to release a rulemaking notice relating to the new reporting mandate in two years.