Defense contractors have had cyber incident reporting obligations under DFARS clause 252.204-7012 for many years. Recently, however, CISA issued a 457-page proposed rule implementing the 2022 Cyber Incident Reporting for Critical Infrastructure Act. Unless CISA and DoD can reach an agreement, DIB contractors will have duplicative incident reporting obligations for two different agencies.
Episode Links:
CIRCIA Proposed Rule: https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements
Congressional Research Service Report (PDF): https://crsreports.congress.gov/product/pdf/R/R48025
How to submit effective comments: https://youtu.be/1T_62cYiUA4?si=sp91i_cXFGiyD7JW