CISA’s draft cyber rules are in: Here’s what caught our attention
By submitting this form, you agree to our privacy policy.
We’ve all seen the headlines. Cyberattacks are more complex, harder to detect, and now, attackers are targeting our critical infrastructure — the systems that keep our hospitals running, our lights on, goods moving, gas flowing, and our money secure.
The US government just took a major leap forward in protecting its critical infrastructure with new proposed regulations from the Cybersecurity and Infrastructure Security Agency (CISA), which would require critical infrastructure companies to report substantial cyberattacks within 72 hours and ransom payments within 24 hours. This marks the first comprehensive cybersecurity regulation effort across critical infrastructure sectors by the US federal government. Here are a few things to note about these rules.
The high stakes of critical infrastructure security
The new rules apply to companies that own or operate critical infrastructure systems (e.g., healthcare, energy, financial services, transportation, water/wastewater, etc.). These systems are prime targets for attackers and a top priority for protection. The rules also extend to companies whose systems are vital to a particular critical infrastructure sector (e.g., service providers), even if they don’t directly operate critical infrastructure. However, small organizations that meet the Small Business Administration’s criteria for revenue and employee counts are exempt from these regulations.
The regulations would require these companies to report cyber incidents that are likely to cause demonstrable harm to the national security interests, foreign relations, economy, public confidence, civil liberties, or public health and safety of the US. Essentially, if an incident poses a real threat to the wellbeing of the US and its residents, it needs to be reported.
Data is power
The government believes these regulations are necessary to better protect critical infrastructure across all sectors. The new reporting requirements will help CISA gather the data necessary to quickly identify attack patterns, fill information gaps, provide rapid assistance to affected organizations, and warn potential victims to prevent similar attacks.
Balancing transparency and privacy
Unlike other guidelines, such as the SEC’s cybersecurity rules issued last year, CISA will keep reported information confidential. The agency intends to only publicly publish high-level, anonymized data on a quarterly basis in reports that highlight aggregated observations and recommendations.
The need for speed
These proposed rules have stringent reporting timelines, especially for ransom payments, which need to be reported within 24 hours.
CISA is just the latest example of a series of government regulations that are pushing for quicker reporting guidelines, which highlights just how important it’s becoming for companies to be able to quickly detect attacks and report on them with sufficient detail.
Below is a high-level overview of some of the recent cyber regulations that have been introduced in the US and EU.
| Regulation | Reporting timelines | Who is impacted | Effective date |
|---|---|---|---|
| CISA |
| Companies that own or operate systems classified as critical infrastructure by the US government. Companies with systems that are vital to a critical infrastructure sector | TBD (final rule expected by the end of 2025) |
| New York State Department of Financial Services (NY DFS) |
| NY DFS has supervisory power over any banks, insurance companies, and other financial service companies; effectively any institution that requires a license from the NY DFS | December 1, 2023 |
| SEC |
| Publicly traded companies in the US | December 18, 2023 for most US public companies |
| DORA |
| Financial institutions and information communication technology companies providing services to the financial sector | January 17, 2025 |
| NIS2 |
| Entities that provide essential or important services to the European economy and society (including companies and suppliers) | October 17, 2024 |
The countdown begins: How Lacework can help
Our Lacework Composite Alerts automate and simplify cybersecurity event investigation. This unique feature uses machine learning (ML)-powered anomaly detection and the latest threat intelligence to deliver the clear, actionable, and accurate information that you’ll need to promptly manage security incidents and comply with reporting requirements like CISA’s (and the many more cyber rules that will inevitably follow).
Although the draft CISA rules won’t be mandatory until the final rule is published (within the next 18 months), CISA encourages voluntary reporting now. They’re also working on aligning these requirements with other similar regulations, allowing for some reporting overlaps under certain conditions.
Lacework has created several resources to help you tackle the ongoing changes in cyber regulations. Check them out below:
- SEC Materiality Framework
- What is NIS2?
- In prep for NIS2 cybersecurity requirements
- A perspective on CISA Living Off The Land (LOTL) guidance
These documents should not be relied upon as legal advice. Consult with your own legal counsel prior to taking any action.
