CIRCIA Proposed Regulations Uncertain Ahead of October Final Rule Publication

MIT CYBERSECURITY CLINIC

The new MIT Cybersecurity Clinic (11.274 and 11.074) will be offered in both the fall and spring semester at MIT.

The Cybersecurity Clinic will consist of four-modules : Cybersecurity for Critical Urban Infrastructure: Understanding the Problem; How the MIT Cybersecurity Clinic Makes Initial Contact with potential Client Agencies; Onsite Assessment of Cybersecurity Vulnerability by MIT Clinic Staff; and Prepare and Submit a Final Cybersecurity Vulnerability Assessment to a Client Agency. MIT students who want to take on field assignments with the Cybersecurity Clinic (for academic credit) must pass the certification examination offered at the end of the fourth module.

Students who have achieved certification, will work in teams supervised by advanced doctoral and post-doctoral students during the last nine weeks of the spring semester to collaborate with an assigned client agency to prepare a Cyberattack Vulnerability Assessment for a client agency.

WHO WE ARE

We are developing a new class of non-technical strategies against cyberattacks called Defensive Social Engineering. Cyber defenders can use Defensive Social Engineering along with technical tools to defeat or compromise attackers. One technique in the Defensive Social Engineering toolbox is Cyber Negotiation. This research is supported by MIT’s Internet Policy Research Initiative (IPRI).

RESOURCES

Click here for a list of publications and resources

ABOUT THIS BLOG

click above to read more about this blog and watch the short animation below

CIRCIA Proposed Regulations Uncertain Ahead of October Final Rule Publication

April 2, 2025
USA Today: Cyberattacks on Critical Infrastructure Are Increasingly Common

January 10, 2025
CISA Proposed Cybersecurity Incident Reporting Requirements for Critical Infrastructure Companies Opened for Comment

December 18, 2024
Boston Globe: How to Thwart Hackers (Local Cybersecurity)

June 5, 2023
Quick guide to the 6 ways we can regulate AI (MIT Tech Review)

May 30, 2023
World agencies issue cybersecurity guidance for smart cities

April 27, 2023
The Electronic Frontier Foundation Opinion Piece on the U.N. Cybercrime Treaty

April 18, 2023
Cyberattacks on local governments 2020: findings from a key informant survey

February 21, 2023
strategic approach to identify, stop and punish cyberattackers (Third Way Cyber Enforcement Initiative)

December 12, 2022
Cyberattack Causes Trains to Stop in Denmark

November 7, 2022

April 2, 2025

CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act, which was signed into law in March 2022, requires covered entities to report any major cybersecurity incident within 72 hours, and to report ransomware payments within 24 hours of making the payment.

Last year, CISA announced a notice of proposed rulemaking (NPRM), asking the public to submit written comments on the proposal over a period of 60 days starting on April 4. CISA is currently reviewing and considering the comments received during the public comment period in developing the Final Rule, which CISA is required to publish 18 months after the publication of the NPRM.

CISA’s proposed rules to implement CIRCIA are set to enter effect in October 2025. However, this proposed regulation may change based on the priorities of the Trump administration. The resignation of Jen Easterly, former director of CISA, and the formation of the Department of Government Efficiency (“DOGE”) could signal an intent to reduce regulatory burdens for businesses. CISA is unlikely to go away, but its proposed regulations under CIRCIA could see changes or delays.