PRIA Logo
Start Free Watch
2025-01165Notice

Cybersecurity Agency Gets Three Comments, One Completely Off-Topic

Published Date: 1/17/2025

Notice

Summary

CISA is asking for your thoughts on a new incident reporting form that helps track cybersecurity problems. This form affects anyone who reports cyber incidents and aims to make sharing info easier and faster. You’ve got until February 18, 2025, to send in your comments—no cost to you, just a little time to help improve the process!

Free Policy Watch

New rules are filed every week. Most people never see them.

Pick a topic. PRIA watches every federal rule and tells you when one hits your household.

Pick a topic to get started

My TaxesMy HealthMy BudgetMy MoneyMy Freedom
Or tell us something more specific

Analyzed Economic Effects

4 provisions identified: 2 benefits, 1 costs, 1 mixed.

New CISA Incident Reporting Form

If your organization reports cyber incidents to CISA, a new Incident Reporting Form will replace the current form for non-CIRCIA authorities. CISA estimates 26,000 respondents, an average initial report time of 3 hours and updated report time of 7.5 hours, total annual respondent burden of 198,250 hours, and total annualized respondent cost of $8,870,611.

Streamlining: Removed and Grouped Questions

CISA removed the proposed 'Violation of Law and Policy' question and will allow grouping like systems instead of requiring full details for every impacted system, except when specific system details are necessary. For entities reporting under FISMA, FEDRAMP, or other regulations whose regulators require it, CISA may still ask more detailed impacted-user and system questions.

New Preparedness and Logging Questions

The new form adds a question asking how prepared an entity was to handle the incident with answer choices: Unprepared, Minimally Prepared, Moderately Prepared, or Well Prepared. CISA also proposes adding fields to indicate availability of DNS security logs, DHCP logs, and IP address management logs for sharing.

CIRCIA Reports Remain Separate and Delayed

CISA says this information collection is distinct from the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) reporting and will not replace CIRCIA reports. CISA anticipates that CIRCIA reporting will not go into effect until late 2025 or early 2026.

Your PRIA Score

Score Hidden

Personalized for You

How does this regulation affect your finances?

Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.

Free to start

Key Dates

Published Date
1/17/2025

Department and Agencies

Department
Independent Agency
Source: View HTML
Back to Federal Register

Take It Personal

Get Your Personalized Policy View

Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.

Already have an account? Sign in