From: Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP

Sent: Thursday, April 4, 2024 8:52 AM

To: circia@cisa.dhs.gov

Cc: Todd Klessman; Mary Rasmussen; Kaeli Rasmussen; Hunter Rasmussen

Subject: RE: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements (Docket Number CISA-2022-0010)

 

CISA Team,

 

Thanks for soliciting public input on approaches to implement cyber incident reporting requirements. Here is my response to your request for information:

 

It can be difficult to consume 133 pages of requirements narrative in three column format. Consider publishing a 3-5 page summary. 

 

Include an incident reporting section:

 

Timeframe: Deadline to send the notification (e.g. 72 hours)

Notification Criteria: Aspects of an event that trigger the requirement for notification

Message Content: Specific details that must be included within the message

Recipients: Those that must receive the message (e.g. CISA or federated model)

Mechanism: Details of where to send the message (e.g. a specific e-mail address, enter into a website, etc.)

 

CIRCIA reporting requirements will be entered into a Data Breach Notification Matrix, within Crisis Communications Plans. Make it easy to cut-and-paste requirements into that concise format.

 

Detail which organizations are in-scope for CIRCIA reporting such as a listing of critical infrastructure sectors and service providers that have access to XYZ data. It would also be helpful to mention organizations that are out-of-scope.

 

Make it easy for Crisis Management and Cybersecurity professionals to comply with initial notification requirements. The CISA Incident Response Team should have engagement procedures and document templates to help guide the victim organization through remaining reporting requirements from there.

 

Consider whether assigned resources will have capacity to review and respond to CIRCIA reporting requirements. Volume will be driven by conservative interpretation of what constitutes a substantial cyber incident . Determine if it is appropriate to clarify reporting submission scope with more specific requirements language. Otherwise, it may be necessary to establish a federated response model or to assemble a large team (costly and difficult to staff).

 

Additional details can be found in my response to your 2022 request for information.

 

CISA Team: Feel free to contact me with questions and comments. I am grateful for your service to our country.

 

Thanks,

 

Gideon

 

Gideon T. Rasmussen | CISSP, CRISC, CISA, CISM, CIPP | Consultant

Virtual CSO, LLC | www.virtualcso.com | www.gideonras.com

 

The opinions expressed here are my own and not necessarily those of my current or past clients/employers.