Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Seeking harmony: CISA’s proposed cyber reporting rules for critical infrastructure are an ambitious work in progress
Cyber Security: A Peer-Reviewed Journal,
8
(3),
255-263
(2025)
Abstract
The federal cyber incident reporting regulations proposed by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are ambitious and laudable but, with some modest changes, could go even farther to protect US critical infrastructure. First, to reduce the growing burden of duplicative and overlapping reporting obligations, CISA should take more concrete steps to harmonise its proposed cyber incident reporting requirements with those of other federal, state and local agencies. Secondly, CISA should provide greater clarity on the types of data that must be preserved following a reportable cyber incident and shorten the default preservation period to six months, with an option to extend it if necessary. Finally, CISA should provide additional guidance about how the reporting requirements apply to the international operations of multinational companies. By offering additional clarity and reducing the burden on private sector entities, CISA could create a streamlined cyber incident report regime that is more closely aligned with the goal of providing timely, essential and actionable information that will better protect the US critical infrastructure.
Keywords: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA); Cybersecurity and Infrastructure Security Agency (CISA); critical infrastructure; data breach
The full article is available to subscribers to the journal.
Author's Biography
Joseph C. Folio Iii is a Partner at Morrison Foerster LLP, where he focuses on cyber security issues and white-collar investigations. As Chief Counsel for the Senate Homeland Security and Governmental Affairs Committee, he advised on the development and drafting of cyber security legislation, responses to breach and ransomware incidents affecting government agencies and the private sector and conducted oversight of the Cybersecurity and Infrastructure Security Agency (CISA).
Alexandra Ross is Senior Director, Data Protection, Use & Ethics Counsel at Autodesk, Inc., where she provides legal, strategic and governance support for Autodesk’s global privacy, security and trusted artificial intelligence (AI) programmes. She is also an adviser to BreachRx, an adviser to the University of San Francisco’s Strategic AI programme and a member of Women Leaders in Data & AI (WLDA). She is a certified information privacy professional (Certified Information Privacy Professionals/United States [CIPP/US], Certified Information Privacy Professionals/Europe [CIPP/E], Certificate in Performance Measurement [CIPM], Certified Information Privacy Technologist [CIPT], Fellow Information Privacy [FIP] and Privacy Law Specialist [PLS]).
Ian Wolfe is a Security Counsel at Autodesk, Inc., where he provides legal support to security incident response, threat detection and intelligence, third-party risk management and global cyber security compliance programmes. Prior to Autodesk, he worked in the healthcare, cyber security software and advertising technology industries. Ian holds the Certified Information Privacy Technologist (CIPT) certification.
Nicholas A. Weigel is an associate at Morrison Foerster LLP, where he focuses on litigation and national security matters. He has worked at the Department of Justice’s National Security Division and the US Attorney’s Offices for the Eastern District of New York and the District of Massachusetts, where he contributed to federal cybercrime prosecutions. He has written on artificial intelligence (AI), electronic surveillance and encryption.
