[co-author: Tanvi Chopra]

A sweeping array of businesses are another step closer to requirements to report cybersecurity incidents and ransomware payments to the federal government.

On April 4, 2024, the U.S. Department of Homeland Security's (DHS) Cybersecurity Infrastructure and Security Agency (CISA) published a Notice of Proposed Rulemaking (NPRM) to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The proposed rule would require "covered entities" to report certain cyber incidents and ransom payments to CISA within prescribed time frames. The proposed rule also creates exceptions to reporting requirements, as well as protections for report content.

The proposed rule is open for comments for 60 days, until June 3, 2024. Following this, CISA will have 18 months to issue a final rule, approximately by October 4, 2025. CISA expects the final rule would come into effect in early 2026. [See Sec. V.A.i]

This post provides an overview of the NPRM and its key takeaways. Linked citations to the 400+ page Federal Register notice are mercifully provided in brackets for ease of reference.

I. Broad applicability

The regulation would encompass a wide range of "covered entities" in critical infrastructure sectors. Importantly, CISA makes clear that "covered entities" would be broader than owners and operators of critical infrastructure systems and assets. Instead, entities that are active participants in critical infrastructure sectors may be considered "in the sector," even if the entity itself is not critical infrastructure. [Sec. IV.B.i] CISA welcomes your organization's outreach if you are unsure whether you are part of a critical infrastructure sector. [Sec. IV.B.ii]

To establish what qualifies as "critical infrastructure sectors," CIRCIA draws from Presidential Policy Directive 21 (PPD-21). [Sec. IV.B.i] PPD-21 enumerates 16 sectors, encompassing services across large swathes of the economy.

The critical infrastructure sectors are 1) Chemical, 2) Commercial facilities, 3) Communications, 4) Critical manufacturing, 5) Dams, 6) Defense industrial base, 7) Emergency services, 8) Energy, 9) Financial services, 10) Food and agriculture, 11) Government facilities, 12) Healthcare and public health, 13) Information technology, 14) Nuclear reactors, materials, and waste, 15) Transportation systems, and 16) Water and wastewater systems.

II. Covered entities

Under the proposed rule, the regulation would be applicable to organizations that fall in either of two categories:

1. All entities operating in critical infrastructure sectors, except small businesses; or
2. All entities operating in critical infrastructure sectors that fulfill sector-based criteria, even if the entity is a small business. [Sec. VI; Sec. 226.2(a)-(b)]

While the size threshold captures larger entities, the sector-based criteria capture entities that are small but essential. Below, we take a closer look at these designations.

a) Covered entities – Based on size

The proposed size-based criterion significantly broadens the scope of entities covered by the rule.

The size threshold is based on Small Business Administration (SBA) standards. These standards vary by industry and are based on annual revenue and number of employees. [Sec. IV.B.iv.1.B] SBA updates the standards every five years. Entities in a critical infrastructure sector above these small business thresholds are "covered entities" under the proposed rule.

For example, under current SBA standards, the proposed rule would cover all software publishers (which operate in the critical infrastructure sector of information technology) with more than $47 million in revenue. As another example, physician offices with more than $16 million in revenue would be covered by the rule.

b) Covered entities – Sector-based criteria

The sector-based criteria proposed by CISA focus on more essential entities within a sector, regardless of the entity's size, based on the potential consequences of disruption. The proposed rule sets out specific criteria for nearly all of the 16 critical infrastructure sectors listed above. [Sec. VI; Sec. 226.2(b)]

For example, the proposed sector-based criteria for the information technology sector would include

• Entities that provide or support IT services for the federal government;
• Entities that develop, license, or maintain certain types of software, such as software that manages or controls access, has privileged access, controls operational technology, or that performs a function critical to trust (i.e., software used for security functions such as network control and endpoint security);
• Manufacturers, vendors, or integrators of operational technology hardware or software components (such as industrial control systems and programmable logic controllers); and
• Entities that manufacture, sell, or provide managed services for information and communications technology specifically used to support election processes for state, local, tribal, or territorial (SLTT) governments.

As another example, the proposed sector-based criteria for healthcare and public health would include entities that provide essential public health-related services, including hospitals with 100 or more beds, critical access hospitals, and manufacturers of certain classes of drugs or medical devices. [Sec. VI; Sec. 226.2(b)(10)-(12)]

III. Covered cyber incident

Covered entities must report covered incidents. The proposed rule would define a "covered cyber incident" to include any of the following:

• A substantial loss of confidentiality, integrity, or availability of a covered entity's information system or network;
• A serious impact on the safety and resiliency of a covered entity's operational systems and processes;
• A disruption of a covered entity's ability to engage in business or industrial operations, or deliver goods or services; or
• Unauthorized access to a covered entity's information system, network, or nonpublic information, that is caused by a (i) compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; or (ii) supply chain compromise.

This definition includes any substantial cyber incident, regardless of the cause. As a result, an incident can be a "covered cyber incident" if the compromise occurred through a third-party service provider, a denial-of-service attack, or a vulnerability in widely used open source code.

However, a covered cyber incident does not include mere threats of disruption as extortion, or events perpetrated in good faith in response to a request by the system owner or operator. Covered cyber incidents also do not include lawfully authorized activity of a U.S. or SLTT government entity. [Sec. VI; Sec. 226.1]

IV. Reporting requirements

Covered entities must provide the following four mandatory "CIRCIA Reports" to CISA within specified timelines:

1. Covered Cyber Incident Reports: Covered entities that experience a covered cyber incident must report to CISA within 72 hours of reasonably believing that an incident has occurred.
2. Ransom Payment Reports: Covered entities that make a ransom payment, or have another entity make a ransom payment on their behalf, as the result of a ransomware attack, must report no later than 24 hours after a payment has been paid. Under the proposed rule, "ransomware attacks" include occurrences that disrupt the confidentiality, availability, or integrity of electronic data for extortion — encompassing denial-of-service attacks, data exfiltration, and forced systemwide encryption. [pg 409]
3. Joint Covered Cyber Incident and Ransom Payment Reports: Covered entities that experience a covered cyber incident and make a related ransom payment must report both events within 72 hours in a Joint Covered Cyber Incident and Ransom Payment Report.
4. Supplemental Reports: Covered entities must "promptly" submit supplemental reports within 24 hours if (i) new or different information becomes available or (ii) a ransom payment was made after a covered incident was already reported. [Sec. VI; Sec. 226.3-5]

V. Format and details of the reports

The NPRM highlights that covered entities must report covered cyber incidents or ransomware payment through a web-based "CIRCIA Incident Reporting Form," which CISA will make available on its website. [Sec. VI; Sec. 226.6]

Both types of reports require numerous details related to the incident. This includes, but is not limited to, the entity's identity, a description of the affected functions, technical details of the networks or devices, vulnerabilities exploited, categories of information that were accessed, relevant dates, the entity's security protocols, the impact of the incident on operations, indicators of compromise, a description of the type of incident and tactics, identifying information about the attacker, a description of any mitigation and response activities, identification of any law enforcement responding to the incident, and whether another entity assisted in responding to the covered cyber incident. [Sec. VI; Sec. 226.8]

Ransom payment reports also require information on the payment demand, amount and types of assets used in the payment, identity of the recipient, the form of payment requested, the ransom payment instructions, and transaction identifiers. [Sec. VI; Sec. 226.9]

A covered entity may authorize a third party to submit a CIRCIA Report on the covered entity's behalf. However, the covered entity remains responsible for ensuring compliance with the reporting requirements. [Sec. VI; Sec. 226.12]

Entities that report an incident through CIRCIA will need to retain the data used to file the report for at least two years from the date of submission or the date the submission would have been required. For example, this includes indicators of compromise, relevant log entries, information that may help identify exploited vulnerabilities, all records related to ransom payments, and other information. [Sec. VI; Sec. 226.13]

VI. Exemptions for similar reporting

Covered entities may be exempted from submitting CIRCIA reports if the entity is already required to report cyber incidents to another federal agency.

However, for this exemption to apply, CISA and that agency must have established an agreement ("CIRCIA Agreement") that the reporting requirements are substantially similar. CISA would retain discretion to determine what constitutes "substantially similar" information. CISA would also retain the right to terminate a CIRCIA Agreement at any time. In addition to the agreement, the federal agency must have a mechanism in place to share information with CISA. Without these elements, the covered entity is responsible for complying with both CIRCIA and the other reporting requirements.

Separately, federal agencies that are required by the Federal Information Security Modernization Act (FISMA) to report incidents to CISA would be exempt from reporting those incidents under CIRCIA. [Sec. VI; Sec. 226.4]

VII. Enforcement and penalties

The Director of CISA may issue a request for information (RFI) to a covered entity if there is reason to believe that the entity has failed to submit a required report. The RFI would include a description of the information requested from the covered entity and the date by which the entity must respond. [Sec. VI; Sec. 226.14]

If the entity does not respond by the deadline or its response is inadequate, the Director may issue a subpoena to compel information. Any entity that fails to comply with a subpoena may be subject to a civil action brought by the Department of Justice, or a court may order compliance with the subpoena and punish a failure to obey with contempt of court charges. Additional penalties may include disbarment and restricting future government contracts to noncompliant covered entities. [Sec. VI; Sec. 226.15]

Any person who makes a false statement or representation in connection with a CIRCIA Report may face criminal penalties. [Sec. VI; Sec. 226.20]

VIII. Treatment of information and protections

CIRCIA provides certain protections and guarantees for cyber incident reports, ransomware payment reports, and RFI responses. [Sec. VI; Sec. 226.18]

No enforcement action may be taken based solely on the submission of a CIRCIA Report or response to an RFI. In addition, CIRCIA Reports, RFI responses, and related communications or materials may not be admitted as evidence, subjected to discovery, or used in any legal proceedings. [Sec. VI; Sec. 226.18(c)] However, this protection does not affect the entity's liability for the incident itself if there is a separate basis for liability. [Sec. IV.H.i.3.b]

A covered entity does not waive any applicable privilege or protection provided by law as a consequence of submitting a CIRCIA Report or RFI response. CIRCIA Reports are exempt from disclosure under the Freedom of Information Act (FOIA) and similar laws. A covered entity may designate its report as "commercial, financial, and proprietary information" if it desires CISA to treat it as such. [Sec. VI; Sec. 226.18(b)]

Additionally, information provided to CISA through CIRCIA may be disclosed to and used by any federal agency, solely for the following reasons: (i) cybersecurity purpose; (ii) identifying a cybersecurity threat or a security vulnerability; (iii) responding to or mitigating a specific threat of death, serious bodily harm, or serious economic harm. [Sec. VI; Sec. 226.18(b)(3)]

IX. Business Takeaways

While the requirements of this rule will not go into effect until after the final implementing rules are established, expected in late 2025, being informed and prepared is an important first step.

Companies should not assume that the rule would be limited to "critical infrastructure." Instead, because of its broad scope, we encourage companies to review the proposed rule to determine if they qualify as a covered entity.

Potential covered entities should review the reporting requirements and identify any initial impacts to their business. This includes consideration of any necessary future adjustments to the entity's organizational security program and cyber incident response plan. In order to stay organized, we recommend that companies create a regulatory notification chart to keep track of their different incident reporting obligations. Many companies are subject to several cybersecurity incident regulations with varying notification timelines, and developing a chart can help ensure that disclosures are appropriately made in a timely manner.

These proactive steps can help companies identify measures needed for achieving compliance, if applicable, once the rules are finalized. Potential covered entities may want to consider submitting formal comments on the proposed rule to CISA, either directly or through a trade association.

These considerations are intended to highlight some key steps that companies can take now to prepare for CIRCIA. They are not intended to be an exhaustive list, and each company must assess the processes and procedures that may be necessary and appropriate within the context of its operations, business, and regulatory environment.