CISA’s draft cyber rules are in: Here's what caught our attention

 

We’ve all seen the headlines. Cyberattacks are more complex, harder to detect, and now, attackers are targeting our critical infrastructure — the systems that keep our hospitals running, our lights on, goods moving, gas flowing, and our money secure.

The US government just took a major leap forward in protecting its critical infrastructure with new proposed regulations from the Cybersecurity and Infrastructure Security Agency (CISA), which would require critical infrastructure companies to report substantial cyberattacks within 72 hours and ransom payments within 24 hours. This marks the first comprehensive cybersecurity regulation effort across critical infrastructure sectors by the US federal government. Here are a few things to note about these rules. 

The high stakes of critical infrastructure security

The new rules apply to companies that own or operate critical infrastructure systems (e.g.,  healthcare, energy, financial services, transportation, water/wastewater, etc.). These systems are prime targets for attackers and a top priority for protection. The rules also extend to companies whose systems are vital to a particular critical infrastructure sector (e.g., service providers), even if they don’t directly operate critical infrastructure. However, small organizations that meet the Small Business Administration’s criteria for revenue and employee counts are exempt from these regulations.

The regulations would require these companies to report cyber incidents that are likely to cause demonstrable harm to the national security interests, foreign relations, economy, public confidence, civil liberties, or public health and safety of the US. Essentially, if an incident poses a real threat to the wellbeing of the US and its residents, it needs to be reported. 

Data is power

The government believes these regulations are necessary to better protect critical infrastructure across all sectors. The new reporting requirements will help CISA gather the data necessary to quickly identify attack patterns, fill information gaps, provide rapid assistance to affected organizations, and warn potential victims to prevent similar attacks.

Balancing transparency and privacy 

Unlike other guidelines, such as the SEC’s cybersecurity rules issued last year, CISA will keep reported information confidential. The agency intends to only publicly publish high-level, anonymized data on a quarterly basis in reports that highlight aggregated observations and recommendations. 

The need for speed 

These proposed rules have stringent reporting timelines, especially for ransom payments, which need to be reported within 24 hours. 

CISA is just the latest example of a series of government regulations that are pushing for quicker reporting guidelines, which highlights just how important it’s becoming for companies to be able to quickly detect attacks and report on them with sufficient detail. 

Below is a high-level overview of some of the recent cyber regulations that have been introduced in the US and EU. 

 

Regulation	Reporting timelines	Who is impacted	Effective date
CISA	Within 72 hours of detecting a significant cyberattack Within 24 hours of making a ransom payment	Companies that own or operate systems classified as critical infrastructure by the US government. Companies with systems that are vital to a critical infrastructure sector	TBD (final rule expected by the end of 2025)
New York State Department of Financial Services (NY DFS)	Within 72 hours of detecting a significant cyberattack Within 24 hours of making a ransom payment	NY DFS has supervisory power over any banks, insurance companies, and other financial service companies; effectively any institution that requires a license from the NY DFS	December 1, 2023
SEC	Within 4 business days after determining a cyberattack is material	Publicly traded companies in the US	December 18, 2023 for most US public companies
DORA	Provide a detailed business report within 24 hours of detecting the breach Requires anomaly detection among other security protections (DORA Article 10)	Financial institutions and information communication technology companies providing services to the financial sector	January 17, 2025
NIS2	Within 24 hours: Provide an early warning with initial assessments Within 72 hours: Submit a notification report assessing severity and impact Within 1 month: Submit a comprehensive report with resolution details Requires AI-based threat detection (NIS2 Section 51)	Entities that provide essential or important services to the European economy and society (including companies and suppliers)	October 17, 2024

 

The countdown begins: How Lacework can help

Our Lacework Composite Alerts automate and simplify cybersecurity event investigation. This unique feature uses machine learning (ML)-powered anomaly detection and the latest threat intelligence to deliver the clear, actionable, and accurate information that you’ll need to promptly manage security incidents and comply with reporting requirements like CISA’s (and the many more cyber rules that will inevitably follow). 

Although the draft CISA rules won’t be mandatory until the final rule is published (within the next 18 months), CISA encourages voluntary reporting now. They’re also working on aligning these requirements with other similar regulations, allowing for some reporting overlaps under certain conditions.

Lacework has created several resources to help you tackle the ongoing changes in cyber regulations. Check them out below: 

• SEC Materiality Framework
• What is NIS2?  
• In prep for NIS2 cybersecurity requirements
• A perspective on CISA Living Off The Land (LOTL) guidance

These documents should not be relied upon as legal advice. Consult with your own legal counsel prior to taking any action.