Final cyber incident reporting rule deferred

The Cybersecurity and Infrastructure Security Agency has moved to postpone the issuance of a final cyber incident reporting rule for critical infrastructure owners and operators to May 2026, even though such a rule was initially mandated to be released by next month, reports CyberScoop. Delaying the rule's release has been necessitated by public comments that sought for a more streamlined and less burdensome version that is better aligned with other federal cyber incident reporting requirements, according to CISA Director of Public Affairs Marci McCarthy. "Stakeholder input is extremely important as we work to draft a rule that improves our collective security," McCarthy said. Such a development has been supported by House Homeland Security Chairman Andrew Garbarino, R-N.Y., and the Information Technology Industry Council. "CISA should use this extended timeline to meaningfully incorporate industry input and realign the rule with Congresss original intent. At the same time, efforts to streamline incident reporting and harmonize requirements across the federal government must move forward to drive better security outcomes," said ITIC Director of Cybersecurity Policy Leopold Wildenauer.