Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) approved an interim final rule for the DOD concerning contractorreporting requirements for certain cyber intrusions. This rule was required by Congress in 2012 as part of the Defense Authorization Act of 2013 (§941; PL 112-239). The rule is likely to be published in the Federal Register later this week.
It will be interesting to see if the procedures that DOD develops for a relatively selected group of non-governmental networks could be adopted for critical systems at all critical infrastructure facilities. I think that the government (and the public) has a specific and legitimate interest in attacks on critical infrastructure cyber-physical systems that could have a significant impact on the public.
The requirements of §941 focused principally on information compromise rather than cyber-physical systems and it would probably be inappropriate to require reporting on purely information related incidents (other than those involving significant amounts PII, of course; but those would be covered by separate requirements). This would mean that adaptations of the DOD rule would certainly be required, but the actual reporting process (other than to whom the reports would be sent) should be fairly easy to adapt to a cyber-physical incident reporting system.