New tech, personnel will help CISA with coming rush of cyber incident reports

The Cybersecurity and Infrastructure Security Agency is looking to onboard additional technologies and personnel to deal with a coming influx of cyber incident reports, according to a report released by the Government Accountability Office on Tuesday. 

The watchdog’s audit examined how CISA and its parent entity, the Department of Homeland Security, are complying with new requirements outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA. The law requires critical infrastructure providers to report cybersecurity incidents and ransomware attacks to CISA within specific timeframes. 

CISA released its proposed cyber incident reporting rule in April, which would require covered entities to disclose cyber incidents to the agency within 72 hours and report ransomware attacks within 24 hours. The report said “access to these reports will allow the agency to rapidly deploy resources, analyze trends and share information that could prevent or mitigate future cyber incidents.”

CIRCIA instructed, in part, that GAO review CISA’s requirements under the law and determine the agency’s compliance with its provisions. Of the 59 specific obligations that it identified, the watchdog said CISA successfully implemented all 13 cyber incident reporting requirements it was mandated to enact by March 2024. The remaining 46 requirements are required to be implemented in 2025.

The report noted, however, that CISA has “identified a variety of challenges” when it comes to fully implementing CIRCIA, including accepting and analyzing an influx of new incident reports and “facilitating a more efficient method” for federal partners to share the reports with the agency. 

“CISA anticipates receiving an increased number of mandatory and voluntary reports that the agency will be required to review and act on within a short time frame,” GAO said. “CISA officials stated that the agency lacked sufficient technology and staff to effectively handle these cyber incident review requirements.”

CISA said it is working to onboard new technology solutions, including developing “an incident reporting portal to accept cyber incident reports, a unified ticketing system and other integrated tools.” 

The agency told GAO it is “using existing funds to prioritize critical technology projects, which might take multiple years to finalize, over hiring all needed staff.” CISA added that it plans to hire new personnel “who would be responsible for the handling of cyber incident reports” prior to when it begins receiving the cyber incident reports next year. 

CISA also floated additional technology modernization initiatives that would help it to better process and review incident reports, but cited budget constraints as a limiting factor. 

Agency officials told the watchdog that CISA currently shares cyber incident reports “through manual processes” across DHS and that the adoption of “an automated mechanism” could help alleviate some of the pressure when it comes to receiving and distributing the reports.

CISA said, however, that efforts to onboard these capabilities are currently stymied by the fact that the tools “would be considered a new technology project not accounted for within the agency’s budget allocations.”

In addition to improving its technical capabilities, GAO said CISA is also working to minimize conflicting or duplicative requirements in the cyber incident reports, including when it comes to their definitions, timelines, contents and how they are submitted to agencies. 

CISA said it will continue engaging with federal partners “during the development and implementation of the final rule to harmonize reporting requirements and reduce the burden on potential covered entities.”