Cyber Incident Reporting for Critical Infrastructure

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is a law enacted in March 2022 that requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations mandating covered entities to report cyber incidents and ransom payments to CISA. CIRCIA will allow CISA to deploy resources to help protect against cyber threats, analyze incoming reports, spot trends, and share data with entities to protect against cyber threats.

Why Cyber Incident Reporting for Critical Infrastructure Act is Important

CIRCIA is important because it enables CISA to coordinate and analyze cyber incidents, spot trends in malicious activity, and provide resources to help protect against cyber threats. By requiring that incidents and ransom payments be reported within 72 hours, CISA can deploy resources to help defend against malicious actors, identify potential vulnerabilities, and share data with entities to protect them from malicious attacks. This helps prevent further incidents from happening across sectors and helps CISA develop better ways to respond to emerging threats.

In addition, the enactment of CIRCIA creates the Cyber Incident Reporting Council (Council), which is tasked with coordinating and de-conflicting federal incident reporting requirements. This allows CISA to evaluate the electronic and physical security standards of each sector, improving overall collaboration on cyber incident response plans. The Council also has the authority to provide sector-specific guidance on data collection and reporting steps needed to combat cyber threats.

Further, CIRCIA requires CISA to establish the Joint Ransomware Task Force, a nationwide campaign to detect and mitigate ransomware attacks. This helps to raise public awareness and encourage organizations to report incidents and comply with CIRCIA’s reporting requirements. CIRCIA also creates programs that warn organizations of vulnerabilities that are commonly associated with ransomware exploitation. This helps organizations to identify and address these vulnerabilities before they become targets for ransomware attacks.

How Does CIRCIA Work?

In order to provide protection against cyber threats, CIRCIA requires CISA to issue regulations mandating that covered entities report cyber incidents to CISA within 72 hours of when they reasonably determine that the incident has occurred. In addition, it requires that any federal entity that receives a report share it with CISA within 24 hours, and make information received under CIRCIA available to appropriate federal agencies.

CIRCIA additionally authorizes the creation of programs that warn critical infrastructure entities of vulnerabilities commonly associated with ransomware exploitation and to establish a Joint Ransomware Task Force to coordinate a nationwide campaign against ransomware attacks. It also requires covered entities to report ransom payments made as a result of a ransomware attack within 24 hours.

Implementing Cyber Incident Reporting for Critical Infrastructure Act

In order for CIRCIA’s reporting requirements to be effective, CISA must set forth regulatory requirements. CISA will do this through a Notice of Proposed Rulemaking (NPRM), to be released within 24 months of CIRCIA’s enactment. The NPRM will set forth details on reporting requirements, data privacy measures, and other elements of the proposed regulations. Following the NPRM, the public has 60 days to comment on the proposed regulations, and CISA will consider public feedback when drafting the Final Rule.

In addition to forming the proposed regulations, CISA must consult with Sector Risk Management Agencies (SRMAs), the Department of Justice, and other appropriate Federal Agencies along the way. This helps ensure that the NPRM reflects considerations from multiple perspectives and potential vulnerabilities that otherwise may have been overlooked. The Final Rule should be completed within 18 months of the NPRM and contain the finalized regulations for covered entities.

Until the Final Rule is effective, organizations are not required to report cyber incidents or ransom payments. However, CISA encourages organizations to voluntarily report incidents and payments in order to receive assistance, offer potential warnings to other potential victims, and identify possible trends that may help protect the homeland.

To ensure that the Final Rule is practical, efficient, and up-to-date, CISA will continuously update the Final Rule in accordance with changing trends and feedback from the public and other federal agencies. Once the Final Rule is issued, CISA will be tasked with enforcing the rule and identifying organizations that are non-compliant with the regulations. CISA has the authority to issue civil fines, injunctions, and other remedies to ensure organizations are abiding by the regulations and can also inform other federal agencies of organizations violating CIRCIA.

Who Must Comply with Reporting Requirements

Companies that offer services or products for critical government infrastructure may be required to comply with CIRCIA. For example, an IT service provider that supports a water and power plant needs to comply with the reporting requirements of CIRCIA if it discovers a cyber incident at the plant.

Where Should Affected Companies Report?

Companies may report cyber incidents on the CISA website, by email at [email protected], or by phone at (888) 282-0870.

What Can Organizations Do to Prepare?

Chief security officers and cybersecurity teams should stay up to date on CIRCIA’s changing requirements and regulations. Doing so enables organizations to stay compliant and up-to-date on current incident reporting requirements. They should familiarize themselves with the various resources related to CIRCIA, such as the NIST Special Publication 800-145, the Homeland Security Act of 2002, the President Policy Directive 21, and the Cybersecurity Act of 2015. Additionally, they should monitor public input and listen to public sessions in order to better prepare for the Final Rule.

As cyber threats continue to evolve, the enactment of the Cyber Incident Reporting for Critical Infrastructure Act helps to ensure that organizations can confidently report incidents and obtain assistance to protect against malicious actors. For organizations to remain compliant, it’s important that they dig into and understand the current regulations outlined in CIRCIA. Doing so ensures that organizations can ensure compliance as well as take proactive steps to stay ahead of incoming and emerging cyber threats.