A new draft of revised regulations on cyber reporting for critical infrastructure organisations has been made public by the US Cybersecurity and Infrastructure Security Agency (CISA).
The Cyber Incident Reporting for Critical Infrastructure (CIRCIA) Act of 2022 is being updated, and CISA has produced the first draft of the proposed rules. The Federal Register will publish the draft rules on April 4.
According to DFARS clause 252.204-7012, these regulations will be applicable to all US defence contractors who are thought to manage critical infrastructure.
According to the Act, all organisations that are part of the 16 critical infrastructure sectors as specified by CISA are required to disclose cyber events to the agency within 72 hours of the incident occurring.
Furthermore, within 24 hours of the ransom being paid, payments made in response to a ransomware assault must be recorded.