When faced with a cybersecurity incident, CISOs must contend with more than just the threat itself. They must also contend with a myriad of state incident reporting regulations and proposed regulations on the federal level. These reporting regulations have differing standards on what qualifies as an incident, on what timeline incidents must be reported, and different processes for reporting said incidents. CISOs who fail to meet these various requirements may face legal penalties.
Amidst a cybersecurity incident, CISOs should be focused on responding to the attack, not running through an extensive list of reporting requirements for several different agencies. As such, the NTSC believes the best solution is for CISA to serve as the primary agency for all incident reporting requirements and as the only agency to which CISOs must report in the event of an incident. The Cyber Incident Reporting for Critical Infrastructure Act already designates CISA as the principal agency for critical infrastructure incident reporting. We would like to see that requirement expanded to cover all cyber incidents, not just those that impact critical infrastructure.
Moreover, we believe that incident reporting works best when CISA is a partner with the private sector rather than a regulatory body like the Federal Trade Commission. CISA has worked to foster a positive relationship with the private sector, and that relationship is key to effective incident reporting.