With a centralized process, CISA will take on a larger role in maintaining overall cybersecurity situational awareness.
“We may have situations where other companies or agencies are targeted by the same threat,” Cleveland says. “CISA will be positioned to provide shared information on threats. It will be able to provide assistance with mitigation. This will give a greater understanding of what needs to be done for managing and mitigating incidents.”
Federal agencies tasked with responding to cyber incidents, such as the FBI, will benefit from the proposed CIRCIA rules as well.
“Those agencies will get better and more timely data that can help them do their jobs and can potentially allow them to help victims while the crime is still ongoing,” Richberg says.
READ MORE: Zero-trust tools must work across agencies that need to share data.
Upskilling the Cyber Workforce and Other Actions Agencies Can Take
In conjunction with the proposed rules, CISA is making a budget request of $116 million in fiscal year 2025 for the CIRCIA program, including 122 full-time employees to “receive, analyze, and action reports.”
“One of the big impacts will be the upskilling of the federal cybersecurity force,” Cleveland says. “It will be more expensive to respond to incidents going forward. It will require more resources and monitoring within agencies and anything deemed critical infrastructure.”
CISA’s proposed rules will be open to public comment through June 3, allowing time for industry experts and the public to review and weigh in. Afterward, CISA will have 18 months to finalize the rules, and Congress will have 60 days for its own review.
Some details in the rules are already raising questions.
“I was surprised by the breadth of what the agency defined as critical infrastructure,” Cleveland says. “It is more broadly defined now, including commercial facilities, agriculture and financial services. It touches a lot of industries.”
DISCOVER: Robust data protection defends critical infrastructure.
“There are four types of incidents covered by these rules. The supply chain category is most surprising,” Richberg says. “If your supply chain gets compromised, you have to report it, even if the compromise did not cause actual damage. That, to me, feels really broad.”
There are many actions that federal agencies can take now to better protect themselves in the current threat environment.
“I’d start with having a solution in place to address threats at the point of infection, the endpoint. Do you have comprehensive endpoint threat responses that can use threat data and information about what is happening inside a device in real time and stop an activity that looks like wholesale encryption?” Richberg says. “Endpoint detection and response or extended detection and response solutions either stop an attack from gaining a foothold or keep damage from spreading beyond the point of infection.”
“Agencies will need to do more exercises, practicing for ransomware attacks and breaches. You should have staff go through timelines and who to report to and when,” Cleveland says. “Exercising is one of the missing pieces that agencies need to improve at. That’s exercising as a cross function of the agency, not just a cybersecurity activity or practice.”
UP NEXT: Agencies make cybersecurity a shared responsibility with preparedness exercises.