In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.

The CIRCIA incident reports are meant to enable CISA to:

Rapidly deploy resources and render assistance to victims suffering attacks

Analyze incoming reporting across sectors to spot trends

Quickly share information with network defenders to warn other potential victims

As they say, the devil is in the details. In early April, the 447-page Notice of Proposed Rulemaking (NPRM) was published by CISA in response to its responsibilities mandated by CIRCIA. The document is now open for public feedback through the Federal Register.

Considering CIRCIA and its newly published NPRM, what might incident reporting for ransomware attacks look like in the future? Let’s find out.