From:
Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP
Sent: Thursday, September 29, 2022 1:20 PM
To: Todd Klessman <circia@cisa.dhs.gov>
Cc: regs.comments@federalreserve.gov; Mary Rasmussen
Subject: RFI on the Cyber Incident Reporting for Critical Infrastructure
Act of 2022
CISA Team,
Thanks for soliciting public input on approaches to
implement cyber incident reporting requirements. Here is my response to
your request for information:
I. High level feedback:
▪ Focus on the audience
◦ There are three core audiences
- Senior executives
- Legal
- Cybersecurity technologists
◦ Provide commentary that speaks to each directly
◦ The requirements document should be a mix of awareness and legal narrative
▪ Provide assurances
◦ Speak to concerns on the other side of the table
- There is a desire to limit liability
- Business impact and reputational damage
- Reporting may cause harm to the company
◦ Companies may be wary of government support due to confidentiality concerns
◦ Detail why it makes good business sense to adhere to these guidelines
▪ Review and feedback
◦ Be wary of conference room risk when writing reporting requirements
◦ It is necessary for organizations to review definitions such as Substantial cyber incident
◦ Post draft reporting requirements to the public for review and
feedback
II. Detailed feedback
(1) Definitions, Criteria, and Scope of Regulatory
Coverage
c. The meaning of covered cyber
incident, consistent with the definition provided in section 2240(4),
taking into account the requirements, considerations, and exclusions in section
2242(c)(2)(A), (B), and (C), respectively. Additionally, the extent to which the
definition of covered cyber incident under CIRCIA is similar to or different
from the definition used to describe cyber incidents that must be reported
under other existing federal regulatory programs.
GTR: Let s think of definition
requirements as a first step. Organizations must report cybersecurity incidents
to CISA in cases where:
(a) sensitive data is exfiltrated (or exported) from the organization s IT
environment. It is necessary to define what sensitive data is and what volume
of stolen data records are in scope for CIRCIA reporting.
(b) an event causes a disruption in services for a
significant population of US citizens
(c) the event has national security implications such as an
impact on critical infrastructure
An attorney will be able to draft a definition while
referencing detailed requirements. The deliverable should be a definition of a
covered cyber incident that does not require an attorney to interpret. The
topic should be covered within one page, without needing to reference definitions
in other areas of the document.
It is necessary to make clear which side of the table CISA
sits on, the organization responding to a cybersecurity incident or the other
side of the table. When reporting requirements read like a legal contract, that
conveys an adversarial tone and organizations may become defensive.
e. The meaning of substantial
cyber incident.
GTR: The meaning of a
substantial cyber incident and a covered cyber incident should be synonymous. Consider
eliminating covered cyber incident . Organizations have limited resources and
should only be expected to report a substantial cyber incident to the federal
government.
(2) Report
Contents and Submission Procedures
a. How covered
entities should submit reports on covered cyber incidents, the specific
information that should be required to be included in the reports (taking into
consideration the requirements in section 2242(c)(4)), any specific format or
manner in which information should be submitted (taking into consideration the
requirements in section 2242(c)(8)(A)), any specific information that should be
included in reports to facilitate appropriate sharing of reports among federal
partners, and any other aspects of the process, manner, form, content, or other
items related to covered cyber incident reporting that would be beneficial for
CISA to clarify in the regulations.
GTR: Allow organizations to provide industry standard cybersecurity reporting to fulfill CIRCIA Act requirements.
Most organizations are required to report cybersecurity incidents soon after they occur by laws, regulations and contractual obligations. Wherever possible, enable CIRCIA to be a "Cc to CISA" rather than prescriptive reporting requirements.
Consider providing guidelines and examples in this section of requirements. The
organization should have flexibility to submit existing content in a variety of
ways, provided the goal of communicating details of the incident are met.
Here is an
example:
◦ Incident
Report: Provide an incident report that addresses 'detection and analysis',
'containment, eradication & recovery' and
'post-incident activity'. Reference NIST SP 800-61 for additional guidance
(Computer Security Incident Handling Guide).
◦ Technical Details: Include technical
details of the adversary s activities. At a high level, this is reference to
Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IOCs).
Provide detailed information such as a technical description of how the
adversary initially gained access to the IT environment, how they pivoted and
moved laterally, how they escalated privileges and how they exfiltrated data.
Provide IOCs such as adversary IP addresses, domain names, hashes, e-mail
addresses, etc. Provide technical artifacts such as security log and event
files.
f. How covered
entities should submit supplemental reports, what specific information should
be included in supplemental reports, any specific format or manner in which
supplemental report information should be submitted, the criteria by which a
covered entity determines that the covered cyber incident at issue has
concluded and has been fully mitigated and resolved, and any other aspects of
the process, manner, form, content, or other items related to supplemental
reports that would be beneficial for CISA to clarify in the regulations.
GTR: The requirement to report within 72 hours is a bit
aggressive. If this is a substantial cyber incident ,
response activities are still underway. In that scenario, the CIRCIA Act may
have negative impact on incident response which is unintended by the
politicians.
It makes sense to
consider the goals here. CIRCIA wants risk transparency. There is also an
implied intent to minimize negative business impact on the organization and to
require what is reasonable.
Consider tiered
reporting requirements such as:
Phase I. Report
within 72 hours
(event has
occurred - holding statement)
A holding
statement is an initial method of communicating a data breach. The message
theme conveys non-specific topics such as a data breach has occurred, an active
investigation is underway and updates will be provided as more information
becomes available.
Phase II.
Report within one week
(Known TTPs and
IOCs)
Reference feedback
on gathering TTPs and IOCs in the Technical Details commentary above.
Phase III.
Report within one month
(Update: Known
TTPs and IOCs, with remediation activity to date and future plans)
Phase IV.
Report as incident recovery is complete
The four phases above are reasonable. Consider whether CISA s capacity would be overwhelmed by more frequent communications (conference room risk). Consider what CISA s goals are (e.g. gather TTPs/IOCs to protect critical infrastructure & civilian organizations and ensure substantial cyber incidents are mitigated with a sense of urgency). The tiered reporting framework above gives CISA the information it needs, while providing courtesy and conveying a tone of partnership.
h. What CISA
should consider when balanc[ing]
the need for situational awareness with the ability of the covered entity to
conduct cyber incident response and investigations when establishing deadlines
and criteria for supplemental reports.
GTR: The tiered reporting requirements above are meant to
address that concern. Go easy in the first 72 hours.
(3) Other
Incident Reporting Requirements and Security Vulnerability Information Sharing
a. Other
existing or proposed federal or state regulations, directives, or similar
policies that require reporting of cyber incidents or ransom payments, and any
areas of actual, likely, or potential overlap, duplication, or conflict between
those regulations, directives, or policies and CIRCIA's reporting
requirements.
GTR: Earlier this month the Federal Reserve Board opened a 60 day
comment period for updates to operational risk-management requirements,
including incident management and notification. They have been included on the
Cc in lieu of review and comments on their specific requirements.
b. What federal departments, agencies, commissions, or other federal entities receive reports of cyber incidents or ransom payments from critical infrastructure owners and operators.
GTR: This question is a sign of how
broken communications are within the federal government. It s not reasonable
for more than one federal organization to assert itself and consume resources
when an organization is responding to an incident. CISA should have point.
c. The amount it typically costs and time it
takes, including personnel salary costs (with associated personnel titles if
possible), to compile and report information about a cyber incident under
existing reporting requirements or voluntary sharing, and the impact that the
size or type of cyber incident may have on the estimated cost of reporting.
d. The amount it
costs per incident to use a third-party entity to submit a covered cyber
incident report or ransom payment report on behalf of a covered entity.
e. The amount it
typically costs to retain data related to cyber incidents.
GTR: Ask Verizon and Mandiant. They provide data breach response services for many organizations each year.
f. Criteria or
guidance CISA should use to determine if a report provided to another federal
entity constitutes substantially similar reported information.
GTR: Consider asking NIST to address that in an update to their Computer Security Incident Handling Guide (SP 800-61 R2). The current version was published in 2012. Once that update is in place, CISA s CIRCIA reporting requirements could be updated to cite 800-61 and the section name.
h. Principles
governing the timing and manner in which information relating to security
vulnerabilities may be shared, including any common industry best practices and
United States or international standards.
GTR: If the timing of sending a security advisory may tip off the
adversary, CISA should consider waiting a few days.
Many years ago the response to a cybersecurity incident was to pull the plug
from the server . Modern day, we know that is not a prudent approach. If the
plug is pulled, volatile data such as which IP addresses are connected to the
system are lost. It is also necessary to investigate where the adversary gained
access before attempting to eradicate them from the IT environment.
III. Feedback on any
other topics
A. CISA s Priorities
Provide a brief statement that explains what CISA s
motivations are. For example:
CISA's goals for
CIRCIA Act reporting are (a) to send details of adversary tactics to the
cybersecurity community and (b) to offer data breach response services at no
cost.
B. Call to Action
Provide a brief statement that answers the why for
organizations. For example:
When your
organization sends details of a cybersecurity incident, you are providing a
public service. Your actions help protect thousands of organizations throughout
the US and elsewhere.
Your actions
demonstrate integrity, doing the right thing when no one is looking. That
aligns with your organization s core values.
C. Influencing use of CISA Incident Response Services
If CISA has not established a relationship with senior
executives in advance, it is too late at the time of a substantial cyber
incident . Large and most mid-sized organizations will follow their incident
response plans and work with their support partners such as data breach
response firms.
We live in the world of TL;DR (too long; didn't read). Try something like this:
Consider
establishing a relationship with CISA proactively, before
a cybersecurity incident occurs. Our employees help organizations across the US
and can provide ways to resolve an incident quickly such as ransomware
decryption keys or details of adversary tactics that help eradicate them from
your IT environment. CISA can be a strong partner, even if your organization
subscribes to a data breach response service.
D. Confidentiality
Detail scenarios where CISA will keep information
confidential. For example:
Upon receiving
details of a cybersecurity incident, CISA may disclose technical details of the
adversary s TTPs and IOCs to help protect the cybersecurity community.
CISA will not disclose an organization s name unless (a) The organization has
already disclosed the cybersecurity incident to the media or (b) if the
company s name has already been disclosed to the media through another source.
Confidentiality encourages partnership and transparency in
practice, enabling CISA to communicate TTPs/IOCs shortly after the breach,
preventing similar impact at other organizations.
E. Effective Communications
Leverage the CISA communications function as quality
assurance when drafting CIRCIA reporting requirements. There are three
audiences to consider, senior executives, legal and cybersecurity
technologists. Include information necessary for analysis and understanding all
in one document. If the document requires an attorney to interpret CIRCIA
reporting requirements, that s a fail.
F. CISA s Capacity
Estimate the volume of reporting submissions that will be
sent annually based on threat landscape documents such as the Verizon Data Breach Investigations Report. It may be
necessary to increase CISA s headcount and funding to match.
CISA Team: I appreciate your efforts to protect our country. Thanks for
fighting the good fight!
Feel free to reach out to me with questions or comments.
Gideon
Gideon T. Rasmussen |
CISSP, CRISC, CISA, CISM, CIPP | Consultant
Virtual CSO, LLC | www.virtualcso.com | www.gideonras.com
The opinions expressed here are my own and not necessarily
those of my clients or past employers.