Eric Goldstein, CISA’s executive assistant director for cybersecurity, has outlined three goals for the agency’s upcoming incident reporting regulation:

“We have three goals with incident reporting,” Goldstein said. “The first is to offer help to those who need it,” he said, emphasizing that the U.S. government’s support is “solely voluntary.”

Second, CISA wants to ensure that they are “rapidly sharing information that is actionable and grounded in a reliable sample of adversary activity across the country,”

The third area looks at the broader landscape, Goldstein said. CISA wants to make recommendations on product security features that should be built in by default and Goldstein said “grounding” it in “actual incidents and aggregated trends therein is going to be really impact for the community in driving investments in the right areas.”

Goldstein said, “Our goal is to use incident reporting to harden the landscape so our adversaries have increased costs before executing intrusions on American companies.”

Goldstein said, “We absolutely see mandatory reporting as the floor not the ceiling.