The Cybersecurity and Infrastructure Security Agency has released a Notice of Proposed Rulemaking, which proposes, and seeks comment on, cyber incident reporting rules for critical infrastructure entities. The NPRM would implement provisions of the Cyber Incident Reporting Act, which requires certain cyber incidents to be reported to CISA within 72 hours and ransomware payments to be reported within 24 hours after payment has been made. The NPRM proposes that all “substantial cyber incidents” must be reported in accordance with the Cyber Incident Reporting Act. The final rules must be published within 18 months of the publication of the NPRM, which will be officially published on April 4.
