The latest bill is going through, the government is a bipartisan bill, which means it has support on both sides of the house, which means more than likely it’ll pass and one way or another. It’s the Cyber incident reporting for the critical infrastructure act of 2021. It’s a mouthful, but a lot of individuals, most critical infrastructure companies, are looking at this with a fine-tooth comb because it’s going to create a new incident Review Office. This is underneath the Department of Homeland Security. But what is actually going to do is require critical infrastructure owners and operators to report cyber, what they were crossed by as major cyber incidents to their office.
Now what exactly major cyber incidents’ classification is that still in flux, but what it’s going to do is create a Time, find Timeline period for which all incidents have to be reported right now. It’s being discussed. That this is a 72-hour window. There were conversations of a previous Bill coming through a 24. Right now, there are also no talks of any associated penalties, but that’s still on the table. Again. This is a bill, it’s not signed into law yet. Let’s, there’s a lot of these parts that are still in flux, but part of the notification of compliance to the agency. You have to identify the tactics, techniques, and procedures to be shared in the greater intelligence community. So they can do some recon to figure out some type of commonalities of major cyber events, as well as help mitigate future events to the office.
One of the cool things that the new agency would be doing is actually publishing quarterly reports based on their observations and future recommendations are. But what I see is one of those most alarming points to this, is that the broad definition of critical infrastructure spans over 16 sectors and that’s still an open Point. As I mentioned to you, that the associated Point, there’s going to be penalties for failure to report and what the classification for the major incident is, but the third thing there is, what is classified, as critical infrastructure expands chemical manufacturing Commercial Energy. You can see on the slide there, Financial dams Transportation. Some make sense to water. And what do you classify as critical and The structure and manufacturing site? It’s a pretty broad definition by Nature.
So we’re really interested in a lot of companies are very interested to see how that’s going to play out, how it’s going to impact them. One of the most important things that we recommend to our clients and our customers is to start to think about some of these points. Obviously going to identify those tactics techniques and procedures that seem to be a commonality of what needs to happen as well as sharing in almost real-time. When something transpires, there’s an attack that’s happened. So starting to plan that has real-time threat detection.
Your OT and IoT networks. Seeing of course, if you’re contained within the critical infrastructure domain, but also start to get a firmer understanding of what’s out there and what your risk exposures are because this is coming hard and fast, but there is no definite timeline of when critical infrastructure and these have, to be compliant that’s still in flux too. But this is something we all want to take an open eye and look at.