US Federal Agencies Seek to Streamline 'Hodgepodge' of Cyber Reporting Rules (bloomberg.com) 7
The Department of Homeland Security wants Congress and other federal agencies to help it streamline 52 different cyber reporting requirements to protect critical infrastructure and ease regulatory burdens on hacking victims. On Tuesday, it released a 107-page report that it hopes will serve as a road map to smooth that process. From a report: More than 30 federal agencies and departments, including the Nuclear Regulatory Commission, Comptroller of the Currency and US Secret Service, have met since June 2022 to hammer out how to reduce regulatory overlap as the federal government grapples with the messy state of cyber reporting rules. They are among members of the Cybersecurity Incident Reporting Council, which was set up as part of a new cyber reporting law passed last year and developed the report recommendations.
"Everybody is desperate for some harmonization and standardization here," Robert Silvers, DHS's under secretary for strategy, policy and plans who chairs the council, told Bloomberg News in an interview. "This is a first-of-its-kind effort." Federal agencies know well that cyber reporting requirements have become "too much of a patchwork," Silvers added. There are already 45 existing reporting requirements administered by 22 federal agencies, spanning national and economic security concerns to consumer and privacy protections, according to the report. Seven more requirements are expected, including the reporting law that created the council, and a further five are under consideration, according to the report.
"Everybody is desperate for some harmonization and standardization here," Robert Silvers, DHS's under secretary for strategy, policy and plans who chairs the council, told Bloomberg News in an interview. "This is a first-of-its-kind effort." Federal agencies know well that cyber reporting requirements have become "too much of a patchwork," Silvers added. There are already 45 existing reporting requirements administered by 22 federal agencies, spanning national and economic security concerns to consumer and privacy protections, according to the report. Seven more requirements are expected, including the reporting law that created the council, and a further five are under consideration, according to the report.
Obligatory XKCD (Score:3)
Re: Obligatory XKCD (Score:2)
Thank you. I was hoping this was the first post.
More Useful, Non-Paywalled Links (Score:3)
Seeing how the only link in the OP is a paywalled media piece, I figured this would be helpful
Actual DHS announcement: https://www.dhs.gov/news/2023/... [dhs.gov]
Link to the actual report: https://www.dhs.gov/sites/defa... [dhs.gov]
Executive summary of the report:
This report, entitled âoeHarmonization of Cyber Incident Reporting to the Federal
Government,â has been prepared by the Department of Homeland Security (DHS) through
the Office of Strategy, Policy, and Plans pursuant to a requirement in Â107(d)(1) of the
Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires
the Secretary of Homeland Security to submit such a report.
â In CIRCIA, Congress established a Cyber Incident Reporting Council (CIRC) to
coordinate, deconflict, and harmonize Federal incident reporting requirements, including
those issued through regulation. Secretary of Homeland Security Alejandro N. Mayorkas
delegated to Under Secretary for Strategy, Policy, and Plans Robert Silvers responsibility
to chair the CIRC.
â The CIRC led an intensive process to identify the actionable recommendations to
harmonize cyber incident reporting requirements reflected in this report. To support the
development of these recommendations, the CIRC took inventory of existing and proposed
Federal cyber incident reporting requirements and engaged with Federal agencies and
outside experts from industry and other stakeholders.
â The CIRC comprehensively assessed 52 in-effect or proposed Federal cyber incident
reporting requirements. That assessment, reflected in this report, highlights potentially
duplicative Federal reporting and identifies challenges to harmonization of these
requirements.
â Based on the work of the CIRC, this report proposes a model definition for reportable
cyber incidents; model timelines and triggers for reporting; and offers recommendations
for how to align content of cyber incident reports and to move toward a model reporting
form or common data elements wherever practicable.
â The report also recommends that the Federal Government should assess how best to
streamline the receipt and sharing of cyber incident reports and cyber incident information,
including through improvements to existing reporting mechanisms or the potential creation
of a single portal, and improve processes for engaging with reporting entities following the
initial report of a cyber incident.
â As required by Â107(d)(1) of CIRCIA, the report also summarizes actions that the
Cybersecurity and Infrastructure Security Agency (CISA) will take to facilitate
harmonization of cyber incident reporting as it implements CIRCIA as well as proposals
that Congress may consider for legislative changes. Proposals for congressional action
include removing legal barriers to harmonizing incident reporting regimes and exempting
cyber incident information reported to the Federal Government from the Freedom of
Information Act.
â Following release of this report, the CIRC will take steps to begin implementing the
recommendations andâ"under the leadership of DHSâ"continue to serve as the Executive
Branchâ(TM)s forum to coordinate, deconflict, and harmonize Federal cyber incident reporting
requirements. On behalf of the Secretary, the DHS Office of Strategy, Policy, and Plans
will coordinate closely with agencies participating in the CIRC to keep Congress apprised
of developments in the whole-of-government approach to reduce complexity, diminish
regulatory overlap, and eliminate unnecessary duplication with respect to cyber incident
reporting.
...as a developer... (Score:2)
...as a developer of the Federal infrastructure, I'd like to use a Linux workstation please. You can monitor all my TCP/IP in/output all you want, but even if only within a VM, may I please use something like Ubuntu to develop open-source web servers which are practically identical to my workstation? Please reconsider the denial I previously received requesting WSL2, because, "it is a virtual machine, and I'd have root, so that's not allowed.".
The only digital thing I can submit to the Feds are GIT commits.
Re: (Score:2)
Asking congress (Score:2)
The Democrats will respond with a hodgepodge that is more likely to make matters worse.
The only thing the Republicans can do on a regulation issue is to scream SHUT DOWN
Nowadays, congress can only move on an issue if some part of the country is literally about to fall into a black hole.