On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”) as part of an omnibus appropriations bill. The Act compels “covered entities” — companies in a “critical infrastructure sector”— to report to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 24 hours of making a ransomware payment or within 72 hours of reasonably believing that it experienced a “substantial cyber incident.”¹ In addition, the Act imposes a requirement on covered entities to preserve all data relevant to the cyber incident or ransom payment.² Covered entities are also subject to an ongoing requirement to update CISA promptly with new, important information until cyber incidents are fully mitigated and resolved.³

The legislation was fast-tracked in the wake of Russia’s invasion of Ukraine and fears that the conflict could lead to significant cyber-attacks on U.S. critical infrastructure. The Act thus expands CISA’s ability to track, share information about, and respond to significant cyberattacks and ransomware payments, placing CISA at the helm of the federal government’s response to major cyber incidents less than four years after the Agency’s creation. Notably, although the Act had broad bipartisan support, the DOJ and FBI publicly opposed the legislation, arguing that “it would slow down the FBI’s response to hacks and hamper the government’s ability to identify and disrupt other ongoing attacks.” The White House, however, supported the Act’s passage, and CISA committed to sharing incident reports “immediately” with the FBI.

Many of the Act’s key definitions are reserved for rulemaking. Among other items, there is considerable ambiguity about:

1. Which companies will be considered “covered entities,”

2. Which substantial cyber incidents must be reported, and

3. What data must be retained and reporting, on an ongoing basis, relating to covered cyber incidents.

The rulemaking process is expected to last up to two years from the Act’s passage. However, the Act provides some hints of how these terms will be interpreted, and companies would be wise to begin preparing for the Act’s enforcement now.

As a threshold matter, companies should consider whether they are likely to be classified as “covered entities.” The Act defines “covered entity” to mean an entity in a critical infrastructure sector, as defined in Presidential Policy Directive PPD-21 (“PPD-21”). PPD-21 identifies 16 critical infrastructure sectors: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems. But PPD 21 does not enumerate how a company would determine if they fit within one (or more) of those sectors, so the required rulemaking will be the primary source of information for companies that seek to determine their status as a critical infrastructure provider. The Act also specifies that CISA will conduct outreach to “likely covered entities” to inform them of the requirements.

The Act specifies that rulemaking must include a “clear description of the types of substantial cyber incidents that constitute covered cyber incidents.” What constitutes “substantial” cyber incidents will be defined in subsequent rulemaking, but must include incidents, among others, that lead to substantial loss of confidentiality, integrity, or availability of information systems or involve disruption of business or industrial operations. What constitutes a “covered cyber incident” lacks clarity, but the Act appears to limit the required reporting to only actual and substantial cyber incidents. In other words, cyber incidents that fail to materialize and immaterial cyber incidents may not be subject to the Act’s reporting and retention requirements.

The Act suggests that covered entities will be required to disclose a substantial amount of information in their cyber incident reports, including but not limited to: a description of the function of the affected systems, networks or devices; description of the unauthorized access; description of the vulnerabilities exploited and security defenses in place; and the categories of information that were or were reasonably believed to have been accessed without authorization. These reporting requirements will be ongoing until the cyber incident has concluded and has been fully mitigated and resolved, meaning that reporting obligations for a single incident could continue for years until full mitigation and resolution is achieved. Accordingly, companies should consider whether they have appropriate internal processes in place to investigate incidents and collect relevant evidence.

In cases of non-compliance with the Act, CISA is authorized to engage directly with covered entities that it believes failed to report information about a cyber incident or ransom payment, including by issuing a subpoena to compel the disclosure of information. If a covered entity fails to comply with the subpoena, CISA may refer the matter to the Attorney General for enforcement and potential contempt of court proceedings. These requirements are imposed against a heightened DOJ enforcement backdrop in which the Civil-Cyber Fraud Initiative seeks to leverage the False Claims Act to hold accountable contractors and recipients of federal funds and grants that knowingly violate contractual obligations to monitor and report cybersecurity incidents and breaches.

Although the Act’s reporting requirements will not become effective for some time, companies with operations that relate to the PPD-21 critical infrastructure sectors should take steps now to ensure that they have systems in place to comply with the Act. Among other issues, companies should evaluate: (1) whether they are likely to fall within the Act’s definition of covered entities subject to reporting and retention requirements, (2) processes to create timely reports in the event of a covered cyber incident or ransomware payment, and (3) capabilities to preserve and collect relevant data in the event of a cyber incident. Companies should also consider how the reporting requirements of the Act might overlap with other disclosure obligations — such as the SEC’s proposed rule on cybersecurity risk management for public companies — and determine whether changes to their cyber policies may be required. Finally, given that the Act leaves much of the detail to the rulemaking process, concerned companies may also wish to draft and submit comments for consideration in rulemaking.

¹ §§ 2242(a)(1)(A), (2)(A).

² § 2242(a)(4).

³ § 2242(a)(3).