Thanks as always to Jacob Horne for sending up the flairs - time to dig in... again...
The CIRCIA proposed rule will impact defense contractors and subs with additional cyber incident reporting requirements beyond DFARS 7012. Did anybody else notice that the DIB makes up by far the most number of entities affected and represents the largest amount of costs incurred? 𝟮𝟯% 𝗼𝗳 𝗮𝗹𝗹 𝗮𝗳𝗳𝗲𝗰𝘁𝗲𝗱 𝗲𝗻𝘁𝗶𝘁𝗶𝗲𝘀 𝟭𝟲% 𝗼𝗳 𝘁𝗼𝘁𝗮𝗹 𝗽𝗿𝗼𝗴𝗿𝗮𝗺 𝗰𝗼𝘀𝘁𝘀 On top of that, 𝟵𝟴% 𝗼𝗳 𝗮𝗹𝗹 𝗰𝗼𝘃𝗲𝗿𝗲𝗱 𝗲𝗻𝘁𝗶𝘁𝗶𝗲𝘀 𝗮𝗿𝗲 𝘀𝗺𝗮𝗹𝗹 𝗯𝘂𝘀𝗶𝗻𝗲𝘀𝘀𝗲𝘀 At what point is the CIRCIA rule really just a Department of Defense small business cyber rule? According to the rule CISA is gonna try super duper hard to cooperate with the DoD in order to establish a "CIRCIA Agreement" to reduce duplicative reporting requirements. I don't know if you're holding your breath but I'm not. Luckily the rule has this tidbit: 𝗔𝘀𝘀𝗶𝘀𝘁𝗮𝗻𝗰𝗲 𝗳𝗼𝗿 𝗦𝗺𝗮𝗹𝗹 𝗘𝗻𝘁𝗶𝘁𝗶𝗲𝘀 "CISA wants to assist small entities in understanding this proposed rule so that they can better evaluate its effects on them and participate in the rulemaking. If this proposed rule would affect your small business, organization, or governmental jurisdiction and you have questions concerning its provisions or options for compliance," please contact: Todd Klessman, CIRCIA Rulemaking Team Lead, CISA circia@cisa[.]dhs[.]gov 202-964-6869 What's the over/under on the number of voicemails left by DoD so far?