Ahead of mandatory rules, CISA unveils new cyber incident reporting portal

The Cybersecurity and Infrastructure Security Agency has unveiled a streamlined service for reporting cyber incidents, as CISA gears up for new reporting requirements to take effect as soon as next year.

The cyber agency rolled out the “CISA Services Portal” this week. The service features “enhanced functionality,” including integration with Login.gov credentials. The new portal gives users the ability to save and update reports, share reports with third parties, and search and filter reports. It also allows users to informally chat with CISA officials.

In a statement, Jeff Greene, CISA’s executive assistant director for cybersecurity, said, “Any organization experiencing a cyber attack or incident should report it — for its own benefit, and to help the broader community.” Greene joined CISA earlier this summer.

“CISA and our government partners have unique resources and tools to aid with response and recovery, but we can’t help if we don’t know about an incident,” Greene continued. “Sharing information allows us to work with our full breadth of partners so that the attackers can’t use the same techniques on other victims, and can provide insight into the scale of an adversary’s campaign. CISA is excited to make available our new portal with improved functionality and features for cyber reporting.”

While cyber incident reporting is voluntary today, the launch of the new portal comes as CISA prepares to implement the landmark Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The law will require organizations across all 16 critical infrastructure sectors to report serious cyber incidents to CISA within 72 hours and ransomware attacks within 24 hours.

CISA released proposed rules for CIRCIA in March. The law requires CISA to issue a final rule by October 2025.

In its proposed rule, CISA estimates that the reporting requirements will apply to more than 300,000 organizations. The agency expects to receive at least 25,000 incident reports within the first year of the rule becoming effective.

In addition to hiring more employees to handle an influx of incident reports, CISA is also upgrading technology to support CIRCIA. The agency’s fiscal 2025 budget request shows CISA plans to integrate a “customer relationship management” tool into its systems. The agency also wants to expand its threat intelligence platform and develop an “incident reporting web app,” according to budget documents.

The cyber agency is also working to harmonize CIRCIA with existing incident reporting regulations that are each largely aimed at specific sectors, such as the defense industry or the financial sector. The Department of Homeland Security in a 2023 report highlighted the dozens of existing incident reporting rules. The report called for agencies to adopt things like a common incident reporting form, as well as a common definition for reportable cyber incidents.

CISA officials have said they want to make the CIRCIA requirements as painless as possible in the industry.

“It’s hugely important … to make sure that we are not overly burdening the private sector, particularly private sector companies under duress if they have been attacked,” CISA Director Jen Easterly said shortly after the law passed in 2022. “CIRCIA is all about helping. This is not to name, to shame, to blame, or stamp the wounded. We are here to render assistance, and then to get information that we can share with our partners while protecting privacy and protecting the victim.”

Comments