Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
United States Security

US Federal Agencies Seek to Streamline 'Hodgepodge' of Cyber Reporting Rules (bloomberg.com) 7

The Department of Homeland Security wants Congress and other federal agencies to help it streamline 52 different cyber reporting requirements to protect critical infrastructure and ease regulatory burdens on hacking victims. On Tuesday, it released a 107-page report that it hopes will serve as a road map to smooth that process. From a report: More than 30 federal agencies and departments, including the Nuclear Regulatory Commission, Comptroller of the Currency and US Secret Service, have met since June 2022 to hammer out how to reduce regulatory overlap as the federal government grapples with the messy state of cyber reporting rules. They are among members of the Cybersecurity Incident Reporting Council, which was set up as part of a new cyber reporting law passed last year and developed the report recommendations.

"Everybody is desperate for some harmonization and standardization here," Robert Silvers, DHS's under secretary for strategy, policy and plans who chairs the council, told Bloomberg News in an interview. "This is a first-of-its-kind effort." Federal agencies know well that cyber reporting requirements have become "too much of a patchwork," Silvers added. There are already 45 existing reporting requirements administered by 22 federal agencies, spanning national and economic security concerns to consumer and privacy protections, according to the report. Seven more requirements are expected, including the reporting law that created the council, and a further five are under consideration, according to the report.

This discussion has been archived. No new comments can be posted.

US Federal Agencies Seek to Streamline 'Hodgepodge' of Cyber Reporting Rules

Comments Filter:
  • by salvorHardin ( 737162 ) <adwulf.gmail@com> on Tuesday September 19, 2023 @12:40PM (#63860748) Journal
  • Seeing how the only link in the OP is a paywalled media piece, I figured this would be helpful

    Actual DHS announcement: https://www.dhs.gov/news/2023/... [dhs.gov]

    Link to the actual report: https://www.dhs.gov/sites/defa... [dhs.gov]

    Executive summary of the report:

    This report, entitled âoeHarmonization of Cyber Incident Reporting to the Federal
    Government,â has been prepared by the Department of Homeland Security (DHS) through
    the Office of Strategy, Policy, and Plans pursuant to a requirement in Â107(d)(1) of the
    Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires
    the Secretary of Homeland Security to submit such a report.

    â In CIRCIA, Congress established a Cyber Incident Reporting Council (CIRC) to
    coordinate, deconflict, and harmonize Federal incident reporting requirements, including
    those issued through regulation. Secretary of Homeland Security Alejandro N. Mayorkas
    delegated to Under Secretary for Strategy, Policy, and Plans Robert Silvers responsibility
    to chair the CIRC.

    â The CIRC led an intensive process to identify the actionable recommendations to
    harmonize cyber incident reporting requirements reflected in this report. To support the
    development of these recommendations, the CIRC took inventory of existing and proposed
    Federal cyber incident reporting requirements and engaged with Federal agencies and
    outside experts from industry and other stakeholders.

    â The CIRC comprehensively assessed 52 in-effect or proposed Federal cyber incident
    reporting requirements. That assessment, reflected in this report, highlights potentially
    duplicative Federal reporting and identifies challenges to harmonization of these
    requirements.

    â Based on the work of the CIRC, this report proposes a model definition for reportable
    cyber incidents; model timelines and triggers for reporting; and offers recommendations
    for how to align content of cyber incident reports and to move toward a model reporting
    form or common data elements wherever practicable.

    â The report also recommends that the Federal Government should assess how best to
    streamline the receipt and sharing of cyber incident reports and cyber incident information,
    including through improvements to existing reporting mechanisms or the potential creation
    of a single portal, and improve processes for engaging with reporting entities following the
    initial report of a cyber incident.

    â As required by Â107(d)(1) of CIRCIA, the report also summarizes actions that the
    Cybersecurity and Infrastructure Security Agency (CISA) will take to facilitate
    harmonization of cyber incident reporting as it implements CIRCIA as well as proposals
    that Congress may consider for legislative changes. Proposals for congressional action
    include removing legal barriers to harmonizing incident reporting regimes and exempting
    cyber incident information reported to the Federal Government from the Freedom of
    Information Act.

    â Following release of this report, the CIRC will take steps to begin implementing the
    recommendations andâ"under the leadership of DHSâ"continue to serve as the Executive
    Branchâ(TM)s forum to coordinate, deconflict, and harmonize Federal cyber incident reporting
    requirements. On behalf of the Secretary, the DHS Office of Strategy, Policy, and Plans
    will coordinate closely with agencies participating in the CIRC to keep Congress apprised
    of developments in the whole-of-government approach to reduce complexity, diminish
    regulatory overlap, and eliminate unnecessary duplication with respect to cyber incident
    reporting.

  • ...as a developer of the Federal infrastructure, I'd like to use a Linux workstation please. You can monitor all my TCP/IP in/output all you want, but even if only within a VM, may I please use something like Ubuntu to develop open-source web servers which are practically identical to my workstation? Please reconsider the denial I previously received requesting WSL2, because, "it is a virtual machine, and I'd have root, so that's not allowed.".

    The only digital thing I can submit to the Feds are GIT commits.

    • wellllllll, okay, I developed a server stack to be used for modeling and simulation by the DoD, and in that development process, I found ways to legally allow people to have root to virtual machines in the system... not to the hypervisor or the hardware itself, but to the VM's. So, this can be done, it is just time consuming and requires a bit of work on your part to get whomever is your Security director equivalent to sign off on it. Oh, and we had all sorts of firewalls and shite.
  • To take a measured reasonable approach to a highly esoteric and technical regulation issue? Sorry, buddy, that is simply not gonna happen.

    The Democrats will respond with a hodgepodge that is more likely to make matters worse.

    The only thing the Republicans can do on a regulation issue is to scream SHUT DOWN

    Nowadays, congress can only move on an issue if some part of the country is literally about to fall into a black hole.

Profanity is the one language all programmers know best.

Working...