March 22, 2022
I support more transparency in the reporting of cyber security incidents and potential risks for a given organization. The proposed requirement to also report strategies, policies and other details is a concern. Depending on the required level of detail this information will become public and could provide additional information to a potential attacker to be used in a cyber attack against the reporting entity. Most organizations would or should consider the details of their security environment, policies, and strategies to be sensitive and proprietary information. Requiring organizations to report this type of information removes a level of protection by exposing information regarding the specific plans, policies and strategies at use within the organization.