But first CISA has to implement them through a federal rulemaking process. The law gives the agency 24 months to publish an initial notice laying out the rules, and then an additional 18 months to finalize the regulations.

Tatyana Bolton, who led cyber policy at CISA between 2017 and 2020, said the requirements represent a “turning point” for CISA. Bolton now works as policy director for cybersecurity and emerging threats at the R Street Institute.

“They’re going from a cooperative partner begging for information to a regulatory enforcer that has legitimate power to enforce compliance with particular requirements for cybersecurity,” Bolton said. “I think you’ll see a bit of a shift in terms of the way that industry sees CISA and its power and authority.”

But Bolton suggests CISA should keep the definitions broad to make it easy for as many companies as possible to report incidents.

“You want to get as much information as you can, and then you figure out on the back end, whether any of it actually is important,” she said. “Without that type of mindset, you’re going to miss things where an incident seemed minor, and in fact it was a thread that could have led to the identification of a Solar Winds-like attack.”

As it starts down the rulemaking path, Bolton suggested CISA look to the Federal Aviation Administration’s system for reporting flight incidents as a model. The Aviation Safety Reporting System accepts confidential reports from pilots, air traffic controllers, mechanics and others, analyzes the data, and then distributes information to the aviation community.

“It’s not about blame,” Bolton said. “It’s about information to ensure that all our skies are safe. The same is true for cybersecurity.”

Featured Publications