Last week, the US Department of Homeland Security (DHS) released a report titled the Harmonization of Cyber Incident Reporting to the Federal Government, that lays out a working template for how the Cybersecurity and Infrastructure Security Agency (CISA) might implement its upcoming cyber incident reporting regulations.\n\nCISA must produce its incident report requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA also required DHS to issue this report to address potential duplication of cyber incident reporting requirements, the challenges of harmonizing these requirements, the steps DHS could take to facilitate this harmonization, and proposed legislation that might be needed to address duplicative requirements.\n\nUnder CIRCIA, Congress established a Cyber Incident Reporting Council (CIRC) to \u201ccoordinate, deconflict, and harmonize federal incident reporting requirements, including those issued through regulation.\u201d CIRC and 33 government agencies investigated the duplication and harmonization issues and issued a series of recommendations on how best to harmonize the various cyber incident report activities spread across the federal government.\n\nA welter of agency requirements\n\nCIRC discovered fifty-two in-effect or proposed federal cyber incident reporting requirements that serve as the basis for the model for reportable cyber incidents spelled out in the report. Forty-five of those are in effect and administered by 22 federal agencies.\n\nTwenty-five requirements relate to national security, economic security, or public safety. Thirteen focus on privacy or consumer or investor protection, with six serving purposes in both categories. The methods for collecting incident reports vary widely across all these regimes, designed for different purposes but require duplicative information.\n\nOne common platform for them all\n\nThe task of DHS was to find a way to harmonize all these requirements so that CISA\u2019s regulations imposed the least amount of duplication while still allowing the existing sector-specific reporting requirements to include information tailored to their varying purposes.\n\nTo that end, CIRC recommends that the federal government create a common reporting platform and intra-government information-sharing platform to alleviate duplicative reporting, with clear definitions and consistent terminology across reporting regimes, allowing additional information in supplement reports. In an appendix to the report, DHS presents a model common platform that it thinks fits the bill.\n\nThe following summarizes the report\u2019s key recommendations, highlights some challenges in adopting this customizable uniform reporting mechanism, and outlines legislative actions needed to create the common platforms.\n\nModel definition of a reportable cyber incident\n\nThe first recommendation in the report calls for a model definition of a reportable cyber incident\u201cwherever practicable\u201d that draws on the commonalities in the existing reporting requirements. To encourage timely reporting and assuage concerns that organizations must gather all relevant information before submitting a report, CIRC suggests the definition should also include language that a cyber incident that is still under investigation be reportable.\n\nCIRC recommends that a reportable cyber incident should explicitly exclude lawful US government activities such as those undertaken under a warrant or other judicial process. Moreover, CIRC recommends that the definition exclude \u201cdata breach incidents when potentially compromised data is adequately encrypted or disassociated so that the information cannot be used, and such encryption or data disassociation has not been compromised.\u201d\n\nCIRC also recommends that reportable incidents should exclude situations where a ransomware extortion threat exists, although it\u2019s unclear what this means. (CISA did not respond to a request for clarification about this exclusion). Under CIRCIA, ransomware victims must separately report ransoms to CISA within 24 hours of payment.\n\nDefinitions of a reportable incident\n\nFinally, the definition excludes good faith research carried out by any reporting entity. With these exclusions, CIRC offers the following definition of what is a reportable incident:\n\nA reportable cyber incident is a cyber incident that leads to, or, if still under the covered entity\u2019s investigation, could reasonably lead to any of the following:\n\n1) a substantial loss of confidentiality, integrity, or availability of a covered information system, network, or operational technology;\n\n(2) a disruption or significant adverse impact on the covered entity\u2019s ability to engage in business operations or deliver goods, or services, including those that have a potential for significant impact on public health or safety or may cause serious injury or death;\n\n(3) disclosure or unauthorized access directly or indirectly to non-public personal information of a significant number of individuals; or\n\n(4) potential operational disruption to other critical infrastructure systems or assets.\n\nThe term \u201creportable cyber incident\u201d includes, but is not limited to, indications of compromises of information systems, networks, or operational technologies of customers or other third parties as well as a business or operational disruption caused by a compromise of a cloud service provider, managed service provider, or other third party data hosting provider.\n\nModel timeline for reporting and trigger provisions\n\nThe second recommendation in the report calls for creating model cyber incident reporting timelines and triggers, or \u201cstarting the clock,\u201d for submitting an incident report \u201cwherever practicable.\u201d While CIRCIA creates a reporting timeline of 72 hours, some federal agencies call for shorter or longer timelines.\n\nCIRC suggests that requirements related to national and economic security and safety may require timelines shorter than 72 hours, while agencies with consumer protection and privacy requirements may adopt a more flexible timeline. The timelines for notifying affected individuals, local governments, or the media can extend beyond the requirements to give the entity the ability to determine the full impact of the incident.\n\nGiven these considerations, CIRC offers the following model timeline and reporting provisions:\n\nA covered entity that experiences a reportable cyber incident shall submit an initial written report to the required agency or agencies within 72 hours of when the covered entity reasonably believes that a reportable cyber incident has occurred.\n\nNote: For incidents that may disrupt or degrade the delivery of national critical functions or the reporting entity\u2019s ability to deliver vital goods or services to the public, or impact public health or safety, agencies may require covered entities to submit an initial report to the required agenc[ies] within less than 72 hours.\n\nNote: For incidents that involve the loss of personal information without further impact on business operations, agencies may include a timeline longer than 72 hours. Such a requirement should consider the potential national or economic security implications of the loss of personal information and the ability of individuals to mitigate harm from the compromise of their information.\n\nOther recommendations\n\nThe report also lists a series of other recommendations, including\n\nLegislative changes needed\n\nBecause some agencies may face legal or statutory obstacles to adopting the model provisions and forms proposed by CIRC, CIRC recommends that Congress remove any legal or statutory barriers to harmonization. Certain agencies have already indicated that they lack sufficient authority to collect all of the recommended data elements in the model form DHS includes in the report, so Congress might need to consider legislation that, for example, \u201cauthorizes agencies to align their regulatory requirements to CIRC recommendations notwithstanding other provisions of law.\u201d\n\nMoreover, the agencies may also lack funds to collect the data. CIRC recommends that Congress provides funds to enable them to collect and share common cyber incident data elements that may not otherwise be authorized.\n\nFinally, CIRC recommends that Congress should exempt from disclosure under FOIA or other similar legal mechanisms for cyber incident information reported to the federal government. This recommendation addresses fears among cyber responders about what will happen with the information they report to one or more agencies following a cyber incident, given the delicate nature of managing the incidents and the need to shield potentially damaging information from threat actors.\n\nReactions and next steps\n\nDHS stresses that CIRC\u2019s recommendations are at the beginning, not the end. CIRC will continue working with agencies and local and foreign governments on how best to adopt the recommendations and identify specific statutory or legal limitations that must be overcome to achieve harmonization.\n\nThe initial reaction to the harmonization report appears to be tentatively optimistic. \u201cWhile we\u2019re still reviewing today\u2019s report, we\u2019re encouraged to see that it produces actionable recommendations for clear, streamlined, and harmonized requirements that can yield better security outcomes while reducing the burden on critical infrastructure partners,\u201d John Miller, senior vice president of policy and general counsel for the Information Technology Industry Council, said in a statement.\n\nHowever, given the wide-ranging comments submitted to CISA in response to a request for information (RFI) ahead of the agency\u2019s rulemaking on its cyber incident reporting regulations, slated to kick off in March 2024, it\u2019s likely that some of CIRC\u2019s recommendations will receive pushback. Many of the RFI commenters pushed for a narrower definition of a reportable cyber incident and sought to expand the timeframe under which incidents should be reported.