hngopher.com

       [HN Gopher] CISA publishes 447 page draft of cyber incident repo...
       ___________________________________________________________________
        
       CISA publishes 447 page draft of cyber incident reporting rule
        
       Author : anigbrowl
       Score  : 41 points
       Date   : 2024-04-06 17:58 UTC (5 hours ago)
        
 (HTM) web link (therecord.media)
 (TXT) w3m dump (therecord.media)
        
       | rightbyte wrote:
       | 447 pages? That is like multiple semesters of course work.
       | 
       | There should be some rule about how the rules can't be longer
       | than that the drafter can recite them by heart.
        
         | kibwen wrote:
         | _> There should be some rule about how the rules can 't be
         | longer than that the drafter can recite them by heart._
         | 
         | I look forward to all laws being written in rhyming iambic
         | pentameter.
        
       | onewheeltom wrote:
       | I want the Cliff Notes version..
        
       | smarx007 wrote:
       | The draft amendment to the Code itself is just 10 pages long (pp.
       | 123-133), pp. 1-123 are the analysis, a total of 133 pages [1].
       | 
       | SS 226.2 Applicability (12) on p. 125 covers most IT/SaaS
       | companies (any SW that has an OAuth2 client lib dependency seems
       | to hit sub-clauses (ii)(C) and (ii)(D)) (emphasis mine):
       | 
       | (12) Information technology entities. The entity meets one or
       | more of the following criteria: (i) Knowingly provides or
       | supports information technology hardware, software, systems, or
       | services to the Federal government; (ii) Has developed and
       | continues to sell, license, _or maintain_ any software that has,
       | _or has direct software dependencies_ upon, one or more
       | components with at least one of these attributes: (A) Is designed
       | to run with elevated privilege or manage privileges; (B) Has
       | direct or privileged access to networking or computing resources;
       | (C) _Is designed to control access to data or operational
       | technology;_ (D) _Performs a function critical to trust;_ or (E)
       | Operates outside of normal trust boundaries with privileged
       | access; (iii) Is an original equipment manufacturer, vendor, or
       | integrator of operational technology hardware or software
       | components; (iv) Performs functions related to domain name
       | operations;
       | 
       | Also, would not hurt if the draft was written in the BLUF fashion
       | [2], with the 10 pages of the proposed law followed by 123 pages
       | of the analysis.
       | 
       | [1]:
       | https://www.govinfo.gov/content/pkg/FR-2024-04-04/pdf/2024-0...
       | 
       | [2]: https://en.wikipedia.org/wiki/BLUF_(communication)
        
       | avs733 wrote:
       | From what I can tell its actually 133, the rule not the law.
       | 
       | The first five pages are the table of contents, definitions of
       | acronyms, and then about a 10 page explanation of background and
       | what CISA is required to do by the law. Starting on 98 there is
       | also an analysis, as required by law, of who is affected, what
       | the cost of implementation is, and a wide variety of other
       | details to inform the public on why this on rule and this way.
       | That cost includes what it will cost CISA to implement the rule
       | (e.g., CISA estimates that a covered entity would spend six hours
       | per submission to collect, store, and maintain records ... hourly
       | compensation rate of $35.19). It analyzes this rule for people
       | who might want to critique it from a variety of perspectives and
       | an enormous amount of potential impacts as required by law (e.g.,
       | its compliance with technical standards, energy usage, tribal
       | implications).
       | 
       | Its easy to jump on these things for being long, but I would
       | imagine the goal is to be thorough and precise. That matters to
       | making this useful - as it does any law or regulation.
       | 
       | Doing government well is hard...just like writing good code or
       | designing any complex system is hard. Documentation is often, and
       | more often should be extensive. The headline is a cheap shot
       | meant to undermine the actual rule itself.
        
       | pseingatl wrote:
       | Lack of compliance with the rule will incur fines and penalties.
       | The agency will need sworn officers to carry out warrantless
       | inspections and ticket non-compliant companies. Objections to
       | fines will be heard by administrative law judges employed by the
       | agency. The agency will keep all revenue earned from non-
       | compliant companies. People who object to these reasonable
       | procedures will be labelled "cyber-terrorists" and placed on the
       | secret "No-Fly" list. America. The Land of the Free(tm).
        
       ___________________________________________________________________
       (page generated 2024-04-06 23:01 UTC)