Security incidents are reported to CISA when applicable
CISA provides free incident response support, threat intelligence sharing, and technical assistance to organizations that report incidents. Reporting also helps CISA build a national picture of threat activity and warn other potential victims. Organizations in critical infrastructure sectors have mandatory reporting obligations; others benefit from voluntary reporting. Failing to report when required can result in regulatory penalties.
Implementation steps
- 1
Determine your reporting obligations and thresholds
Identify whether your organization is subject to mandatory incident reporting under CIRCIA, HIPAA, financial regulations, or state privacy laws. Document the reporting thresholds: what types of incidents must be reported, to which agencies, and within what timeframes. For CISA specifically, significant cyber incidents affecting critical infrastructure should be reported within 72 hours under CIRCIA (when in effect). Review obligations annually as regulations change.
confluence notion legal-counsel drata vanta - 2
Add CISA reporting to your incident response plan
Include a decision point in your IR plan: for significant incidents, does this trigger a CISA report? Document the CISA reporting portal URL (report.cisa.gov), the 24/7 hotline (888-282-0870), and the information you will need to provide. Designate who in your organization is authorized to submit reports to CISA. Train that person on what information to include.
confluence notion google-docs pagerduty - 3
Document incident reports and track regulatory deadlines
When an incident occurs, log whether a CISA report was filed, the date it was filed, and the case number or confirmation. Track any follow-up requests from CISA or other regulators. For incidents with multiple reporting obligations (state breach notifications, HHS, SEC), use a checklist to ensure all required notifications are made within their respective deadlines.
jira confluence servicenow drata google-sheets
Evidence required
Reporting obligations documentation and incident report records
Evidence that reporting obligations are understood and that incidents have been reported as required.
- - Written documentation of applicable reporting obligations and thresholds
- - IR plan section showing CISA reporting decision criteria
- - Incident log showing reports filed with date, agency, and case number
Related controls
An incident response plan is documented and maintained
Response and Recovery
Incident response roles and contacts are designated and current
Response and Recovery
Security logs are collected centrally and retained for investigation
Response and Recovery
Network and system anomalies are monitored and alerted on
Response and Recovery