Apr 132022

CISA Publishes a List of Key Elements to Share in Incident Reports

Vishnu Tirumala, Alan Charles Raul and Stephen W. McInerney
, ,

Amidst severe warnings by the United States government of heightened cyber risks (especially for critical infrastructure), and on the heels of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) being signed into law in March 2022, the Cybersecurity and Infrastructure Security Administration (CISA) published a Cyber Event Information Sharing Fact Sheet, which provides stakeholders with guidance about what to share, who should share, and how to share information about unusual cyber incidents or activity.

Who Should Share Information with CISA?

  • Critical Infrastructure Owners and Operators
  • Federal, State, Local, Territorial, and Tribal Government Partners

What Types of Activity Should Be Shared?

  • Unauthorized access to your system
  • Denial of Service (DOS) attacks that last more than 12 hours
  • Malicious code on your systems, including variants if known
  • Targeted and repeated scans against services on your systems
  • Repeated attempts to gain unauthorized access to your system
  • Email or mobile messages associated with phishing attempts or successes
  • Ransomware against Critical Infrastructure, include variant and ransom details if known

How Should You Share This Information?

Entities were urged to complete an incident reporting form or, in the alternative, send a detailed e-mail to report@cisa.gov.

In the report, CISA asks that entities share ten key elements – with the first nine listed as a priority.

  1. Incident date and time
  2. Incident location
  3. Type of observed activity
  4. Detailed narrative of the event
  5. Number of people or systems affected
  6. Company/Organization name
  7. Point of Contact details
  8. Severity of event
  9. Critical Infrastructure Sector if known
  10. Anyone else you informed

While these instructions are not legally binding, these data elements might be a signal for what critical infrastructure owners and operators can expect in an upcoming notice of proposed rulemaking. Critical infrastructure operators should consider how best to incorporate these elements into their incident reporting process.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Vishnu Tirumala

Washington, D.C.

vtirumala@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Stephen W. McInerney

Chicago

smcinerney@sidley.com

You might also like
Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.

Cybersecurity Takeaways From White House Tech Report

On Feb. 26, the White House’s Office of the National Cyber Director (ONCD), released a report on how technology manufacturers and software developers can improve the cybersecurity posture of the U.S. This report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software,” aligns with the Biden administration’s current, intense focus on combatting ever-increasing cyberthreats through software development and software manufacturer accountability. In this article, published by Law360 on March 26, Sidley lawyers Alan Charles Raul, Stephen McInerney and Vishnu Tirumala discuss the ONCD report and provide key take-aways for software developers and manufacturers, their senior management, and boards.