In an interview on Federal News Network on April 9, 2024, WRVB principal and chair of our Cybersecurity & Data Privacy practice, Beth Waller, talks on-air with reporter Eric White to break down a proposed rule by the Cybersecurity and Infrastructure Security Agency (CISA) that potentially changes the way those operating in critical infrastructure sectors must report cyber incidents. The new requirements would lengthen the “to-do” list of included entities.
While the proposed rules by the director of CISA were not a surprise to industry leaders, Beth points out in the interview, “The big, earth-shattering component of it is really the definition of a covered entity who falls within the orbit of needing to report… We have those who must report based on their size, how large they are, and those that have to report based on their sector. I think most folks watching for this proposed rule were expecting the sector side of the house. We weren’t expecting the size side of the house. And so, from a 40,000-foot view, I would say that most businesses and entities might be surprised to find out that they are covered by these new reporting requirements as proposed.”
Another challenge left by the proposed rules includes the wide range of sectors that must comply. These include obvious critical industries like water and wastewater systems, chemical facilities, and transportation systems, but also extend to other sectors like healthcare, education, and manufacturing, among others. Regardless of size, any entity that provides IT software, hardware, systems, or related services to the federal government must comply.
Beth raises an excellent point: “CISA wants as much information as possible to start looking at these trends nationally and the types of incidents that we are facing as a nation.”
Listen to Beth’s interview or read the transcript on Federal News Network’s website here.
