A proposed rule by the Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security, scheduled to be published in the Federal Register on April 4, 2024, could have important applications in the biometrics space.
The rule concerns the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022, which mandates the implementation of reporting requirements for covered cyber incidents and ransom payments for entities designated as critical infrastructure.
The rule aims to collect comments on the proposed implementation of CIRCIA’s requirements and addresses several practical and policy issues related to the new reporting obligations. Entities covered under this act are required to report covered cyber incidents and ransom payments within specific timeframes to CISA, facilitating a better response and mitigation strategy for cybersecurity threats across the nation’s critical infrastructure sectors.
Key points include the process for submitting comments, definitions of terms such as “covered entities” and “covered cyber incidents,” applicability criteria, required reporting content, deadlines for reports, and data preservation requirements. The proposal also outlines enforcement procedures for non-compliance and the treatment of information provided in the reports, ensuring privacy, civil liberties, and information security.
For companies in the biometrics industry, the proposed CIRCIA rule carries several implications, particularly due to the sensitive nature of biometric data and its use in critical infrastructure sectors. Its stringent requirements for reporting covered cyber incidents and ransom payments would require companies handling biometric data to establish or enhance their cybersecurity incident detection, response, and reporting mechanisms. Given that biometric data is often integral to security systems, any breach or incident could fall under the purview of “covered cyber incidents,” thereby triggering reporting obligations.
Also, the rule’s emphasis on data and records preservation in the aftermath of an incident, coupled with stringent guidelines on the treatment and use of reported information, underscores the need for robust data protection measures. Biometrics companies must ensure they can securely manage and preserve biometric data without compromising its integrity or individuals’ privacy, even during and after cybersecurity events.
The document details the anticipated costs and benefits of the proposed rule, estimating a total cost of $2.6 billion over the analysis period, with the costs being borne by both the industry and the government. The benefits, although qualitative, are expected to include enhanced cybersecurity and resilience, reduced economic and security consequences from cyber incidents, and improved national security and public safety through better information sharing and threat mitigation strategies.
The comment period for the document extends to 60 days after the date of publication in the Federal Register.
Source: Federal Register
–
April 1, 2024 – by Alex Perala and the FindBiometrics Editorial Team
Related News
White House Proposes Rules to Limit Transfer of Biometric Data to Adversary Nations
Microsoft Implements Biometric Authentication, Other Fixes to Address ‘Recall’ Backlash
DHS Unlocks $279.9M for FY24 State and Local Cybersecurity Grant Program
SIA Expands Biometric Advisory Board, Names NEC NSS Exec as Chair
Fusion Wins $159.8M Contract to Support FBI’s CJIS
Financial Services Needs Biometrics—and Expert Guidance, Report Suggests
Follow Us