Gideon T. Rasmussen, CISSP, CRISC, CISA, CISM, CIPP
Sent: Thursday, September 29, 2022 1:20 PM
To: Todd Klessman <firstname.lastname@example.org>
Cc: email@example.com; Mary Rasmussen
Subject: RFI on the Cyber Incident Reporting for Critical Infrastructure Act of 2022
I. High level feedback:
▪ Focus on the audience
◦ There are three core audiences
- Senior executives
- Cybersecurity technologists
◦ Provide commentary that speaks to each directly
◦ The requirements document should be a mix of awareness and legal narrative
▪ Provide assurances
◦ Speak to concerns on the other side of the table
- There is a desire to limit liability
- Business impact and reputational damage
- Reporting may cause harm to the company
◦ Companies may be wary of government support due to confidentiality concerns
◦ Detail why it makes good business sense to adhere to these guidelines
▪ Review and feedback
◦ Be wary of conference room risk when writing reporting requirements
◦ It is necessary for organizations to review definitions such as ‘Substantial cyber incident’
◦ Post draft reporting requirements to the public for review and feedback
II. Detailed feedback
“(1) Definitions, Criteria, and Scope of Regulatory Coverage
c. The meaning of “covered cyber incident,” consistent with the definition provided in section 2240(4), taking into account the requirements, considerations, and exclusions in section 2242(c)(2)(A), (B), and (C), respectively. Additionally, the extent to which the definition of “covered cyber incident” under CIRCIA is similar to or different from the definition used to describe cyber incidents that must be reported under other existing federal regulatory programs.”
GTR: Let’s think of definition requirements as a first step. Organizations must report cybersecurity incidents to CISA in cases where:
(a) sensitive data is exfiltrated (or exported) from the organization’s IT environment. It is necessary to define what sensitive data is and what volume of stolen data records are in scope for CIRCIA reporting.
(b) an event causes a disruption in services for a significant population of US citizens
(c) the event has national security implications such as an impact on critical infrastructure
An attorney will be able to draft a definition while referencing detailed requirements. The deliverable should be a definition of a ‘covered cyber incident’ that does not require an attorney to interpret. The topic should be covered within one page, without needing to reference definitions in other areas of the document.
It is necessary to make clear which side of the table CISA sits on, the organization responding to a cybersecurity incident or the other side of the table. When reporting requirements read like a legal contract, that conveys an adversarial tone and organizations may become defensive.
“e. The meaning of “substantial cyber incident.”
GTR: The meaning of a ‘substantial cyber incident’ and a ‘covered cyber incident’ should be synonymous. Consider eliminating ‘covered cyber incident’. Organizations have limited resources and should only be expected to report a ‘substantial cyber incident’ to the federal government.
“(2) Report Contents and Submission Procedures
a. How covered entities should submit reports on covered cyber incidents, the specific information that should be required to be included in the reports (taking into consideration the requirements in section 2242(c)(4)), any specific format or manner in which information should be submitted (taking into consideration the requirements in section 2242(c)(8)(A)), any specific information that should be included in reports to facilitate appropriate sharing of reports among federal partners, and any other aspects of the process, manner, form, content, or other items related to covered cyber incident reporting that would be beneficial for CISA to clarify in the regulations.”
GTR: Allow organizations to provide industry standard cybersecurity reporting to fulfill CIRCIA Act requirements.
Most organizations are required to report cybersecurity incidents soon after they occur by laws, regulations and contractual obligations. Wherever possible, enable CIRCIA to be a "Cc to CISA" rather than prescriptive reporting requirements.
Consider providing guidelines and examples in this section of requirements. The organization should have flexibility to submit existing content in a variety of ways, provided the goal of communicating details of the incident are met.
Here is an example:
◦ Incident Report: Provide an incident report that addresses 'detection and analysis', 'containment, eradication & recovery' and 'post-incident activity'. Reference NIST SP 800-61 for additional guidance (Computer Security Incident Handling Guide).
◦ Technical Details: Include technical details of the adversary’s activities. At a high level, this is reference to Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IOCs). Provide detailed information such as a technical description of how the adversary initially gained access to the IT environment, how they pivoted and moved laterally, how they escalated privileges and how they exfiltrated data. Provide IOCs such as adversary IP addresses, domain names, hashes, e-mail addresses, etc. Provide technical artifacts such as security log and event files.
“f. How covered entities should submit supplemental reports, what specific information should be included in supplemental reports, any specific format or manner in which supplemental report information should be submitted, the criteria by which a covered entity determines “that the covered cyber incident at issue has concluded and has been fully mitigated and resolved,” and any other aspects of the process, manner, form, content, or other items related to supplemental reports that would be beneficial for CISA to clarify in the regulations.”
GTR: The requirement to report within 72 hours is a bit aggressive. If this is a “substantial cyber incident”, response activities are still underway. In that scenario, the CIRCIA Act may have negative impact on incident response which is unintended by the politicians.
It makes sense to consider the goals here. CIRCIA wants risk transparency. There is also an implied intent to minimize negative business impact on the organization and to require what is reasonable.
Consider tiered reporting requirements such as:
Phase I. Report within 72 hours
(event has occurred - holding statement)
A holding statement is an initial method of communicating a data breach. The message theme conveys non-specific topics such as a data breach has occurred, an active investigation is underway and updates will be provided as more information becomes available.
Phase II. Report within one week
(Known TTPs and IOCs)
Reference feedback on gathering TTPs and IOCs in the ‘Technical Details’ commentary above.
Phase III. Report within one month
(Update: Known TTPs and IOCs, with remediation activity to date and future plans)
Phase IV. Report as incident recovery is complete
The four phases above are reasonable. Consider whether CISA’s capacity would be overwhelmed by more frequent communications (conference room risk). Consider what CISA’s goals are (e.g. gather TTPs/IOCs to protect critical infrastructure & civilian organizations and ensure “substantial cyber incidents” are mitigated with a sense of urgency). The tiered reporting framework above gives CISA the information it needs, while providing courtesy and conveying a tone of partnership.
“h. What CISA should consider when “balanc[ing] the need for situational awareness with the ability of the covered entity to conduct cyber incident response and investigations” when establishing deadlines and criteria for supplemental reports.”
GTR: The tiered reporting requirements above are meant to address that concern. Go easy in the first 72 hours.
“(3) Other Incident Reporting Requirements and Security Vulnerability Information Sharing
a. Other existing or proposed federal or state regulations, directives, or similar policies that require reporting of cyber incidents or ransom payments, and any areas of actual, likely, or potential overlap, duplication, or conflict between those regulations, directives, or policies and CIRCIA's reporting requirements.”
GTR: Earlier this month the Federal Reserve Board opened a 60 day comment period for updates to operational risk-management requirements, including incident management and notification. They have been included on the Cc in lieu of review and comments on their specific requirements.
“b. What federal departments, agencies, commissions, or other federal entities receive reports of cyber incidents or ransom payments from critical infrastructure owners and operators.”
GTR: This question is a sign of how
broken communications are within the federal government. It’s not reasonable
for more than one federal organization to assert itself and consume resources
when an organization is responding to an incident. CISA should have point.
“c. The amount it typically costs and time it takes, including personnel salary costs (with associated personnel titles if possible), to compile and report information about a cyber incident under existing reporting requirements or voluntary sharing, and the impact that the size or type of cyber incident may have on the estimated cost of reporting.
d. The amount it costs per incident to use a third-party entity to submit a covered cyber incident report or ransom payment report on behalf of a covered entity.
e. The amount it typically costs to retain data related to cyber incidents.”
GTR: Ask Verizon and Mandiant. They provide data breach response services for many organizations each year.
“f. Criteria or guidance CISA should use to determine if a report provided to another federal entity constitutes “substantially similar reported information.”
GTR: Consider asking NIST to address that in an update to their Computer Security Incident Handling Guide (SP 800-61 R2). The current version was published in 2012. Once that update is in place, CISA’s CIRCIA reporting requirements could be updated to cite 800-61 and the section name.
governing the timing and manner in which information relating to security
vulnerabilities may be shared, including any common industry best practices and
United States or international standards.”
GTR: If the timing of sending a security advisory may tip off the adversary, CISA should consider waiting a few days.
Many years ago the response to a cybersecurity incident was to “pull the plug from the server”. Modern day, we know that is not a prudent approach. If the plug is pulled, volatile data such as which IP addresses are connected to the system are lost. It is also necessary to investigate where the adversary gained access before attempting to eradicate them from the IT environment.
III. Feedback on “any other topics”
A. CISA’s Priorities
Provide a brief statement that explains what CISA’s motivations are. For example:
CISA's goals for CIRCIA Act reporting are (a) to send details of adversary tactics to the cybersecurity community and (b) to offer data breach response services at no cost.
B. Call to Action
Provide a brief statement that answers ‘the why’ for organizations. For example:
When your organization sends details of a cybersecurity incident, you are providing a public service. Your actions help protect thousands of organizations throughout the US and elsewhere.
Your actions demonstrate integrity, doing the right thing when no one is looking. That aligns with your organization’s core values.
C. Influencing use of CISA Incident Response Services
If CISA has not established a relationship with senior
executives in advance, it is too late at the time of a ‘substantial cyber
incident’. Large and most mid-sized organizations will follow their incident
response plans and work with their support partners such as data breach
We live in the world of TL;DR (too long; didn't read). Try something like this:
Consider establishing a relationship with CISA proactively, before a cybersecurity incident occurs. Our employees help organizations across the US and can provide ways to resolve an incident quickly such as ransomware decryption keys or details of adversary tactics that help eradicate them from your IT environment. CISA can be a strong partner, even if your organization subscribes to a data breach response service.
Detail scenarios where CISA will keep information confidential. For example:
details of a cybersecurity incident, CISA may disclose technical details of the
adversary’s TTPs and IOCs to help protect the cybersecurity community.
CISA will not disclose an organization’s name unless (a) The organization has already disclosed the cybersecurity incident to the media or (b) if the company’s name has already been disclosed to the media through another source.
Confidentiality encourages partnership and transparency in
practice, enabling CISA to communicate TTPs/IOCs shortly after the breach,
preventing similar impact at other organizations.
E. Effective Communications
Leverage the CISA communications function as quality assurance when drafting CIRCIA reporting requirements. There are three audiences to consider, senior executives, legal and cybersecurity technologists. Include information necessary for analysis and understanding all in one document. If the document requires an attorney to interpret CIRCIA reporting requirements, that’s a fail.
F. CISA’s Capacity
Estimate the volume of reporting submissions that will be
sent annually based on threat landscape documents such as the Verizon Data Breach Investigations Report. It may be
necessary to increase CISA’s headcount and funding to match.
CISA Team: I appreciate your efforts to protect our country. Thanks for fighting the good fight!
The opinions expressed here are my own and not necessarily
those of my clients or past employers.