On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published a notice of proposed rulemaking (NPRM) implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). For additional background on CIRCIA, see our prior advisory. CISA is required to issue a final rule by October 4, 2025.

Who is required to report covered cyber incidents?

The proposed rule applies to “covered entities,” which includes entities in a critical infrastructure sector that either exceed the small business size standard (as defined by the Small Business Administration) or meet one or more of the specific sector-based criteria in the rule. CISA interprets critical infrastructure to include those sectors listed in Presidential Policy Directive 21 (PPD 21). The sector-based criteria would include in scope small businesses that own and operate critical infrastructure in the majority of the critical infrastructure sectors.

What type of incident must be reported?

A covered cyber incident, which must be reported to CISA, is defined as a substantial cyber incident. A substantial cyber incident is a cyber incident that leads to any of the following:

1. A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
2. A serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
3. A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
4. Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by a:
   1. Compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; or
   2. Supply chain compromise.
5. A “substantial cyber incident” resulting in the impacts listed in paragraphs (1) through (3) in this definition includes any cyber incident regardless of cause, including, but not limited to, any of the above incidents caused by a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; a ransomware attack; or exploitation of a zero-day vulnerability.

What are the reporting requirements?

• A covered entity that experiences a covered cyber incident must report that incident to CISA no later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.
• A covered entity that makes a ransom payment, or has another entity make a ransom payment on its behalf, as the result of a ransomware attack must report that payment to CISA no later than 24 hours after the ransom payment has been disbursed.
• A covered entity that experiences a covered cyber incident and makes a ransom payment, or has another entity make a ransom payment on its behalf, that is related to the covered cyber incident may report both events to CISA in a joint report no later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.
• A covered entity must promptly submit a Supplemental Report about a previously reported covered cyber incident if substantial new or different information becomes available.
• A covered entity must submit a Supplemental Report if the covered entity makes a ransom payment, or has another entity make a ransom payment on its behalf, that relates to a covered cyber incident that was previously reported. The covered entity must submit the Supplemental Report to CISA no later than 24 hours after the ransom payment has been disbursed.

What information must be included in CIRCIA Reports?

All CIRCIA Reports must include certain identifying information regarding the reporting entity. Additional information is required for different types of reporting, including different specific requirements for Covered Cyber Incident Reports and Ransom Payment reports, as described below.

At a high level, Covered Cyber Incident Reports must further include technical details of the incident, such as the impacted networks and/or devices, categories of impacted information, the entity’s security controls, IOCs, and samples of any malicious software.

In addition to all information required in a Covered Cyber Incident Report, Ransom Payment Reports must further include the date of the ransom payment, amount and type of assets used, and additional details regarding the demand and payment.

Are there any exceptions to the proposed reporting requirements?

A covered entity that has substantially similar reporting obligations to both CISA and another federal agency may report only to the federal agency, so long as the agency has a “CIRCIA Agreement” in place with CISA and the contents and timing of such reporting is substantially similar. A “CIRCIA Agreement” is an agreement between CISA and another federal agency with which it has an information sharing mechanism in place, where the federal agency requires substantially similar incident reporting as CISA. This means that both the content and the timing of the federal agency reporting requirement must be substantially similar to CISA’s requirements.

Even in instances where there is a CIRCIA Agreement in place, a covered entity must analyze whether the specific report it is required to make is substantially similar in content and timing. CISA stated that it does not intend to define what constitutes a substantially similar information or content requirement in the final rule. Rather, CISA noted that in determining whether information is substantially similar, it will consider whether the information required by the federal agency serves the same function or use, provides the same insights or conclusions, and enables the same analysis as the information or data requested in the relevant CIRCIA Report form fields.

CISA further stated that it construes substantially similar timing to mean that CISA would receive the report from the other Federal agency within the same timeframe in which the covered entity would have been required to submit the report to CISA under CIRCIA had the covered entity reported directly to CISA.

What protections do reporting entities have?

The NPRM notes that a covered entity does not waive any applicable privilege or protection provided by law as a consequence of submitting a CIRCIA Report as described above, or a response to a request for information as detailed below. Reports and responses submitted in compliance with these rules are similarly exempt from disclosure under FOIA and any state or local government freedom of information laws or open records laws. To receive such exempt treatment, the covered entity must designate the CIRCIA Report as containing commercial, financial, and proprietary information.

Consistent with CIRCIA, the NPRM provides that no cause of action may lie if it is “solely based on the submission of a CIRCIA Report or a response provided to a request for information,” and the information in CIRCIA Reports and responses to RFIs cannot be received in evidence, subject to discovery, or used in any proceeding. Further, while CISA has indicated that the reports and responses will be shared within the federal government, information obtained solely through CIRCIA Reports and responses to RFIs may not be used to regulate the activities of a covered entity.

What data and records must be preserved related to covered cyber incidents?

The NPRM would require certain data and records pertaining to covered cyber incidents and ransom payments to be maintained for two years following the last report submitted to CISA, including IOCs, relevant log entries, relevant forensic artifacts, network data, certain system information, information about exfiltrated data, and any forensic or other reports concerning the incident.

Are there penalties for noncompliance?

CISA can pursue administrative penalties against covered entities, apart from state and local governments. For those covered entities within scope, if CISA believes the entity has experienced a covered event that was not reported, it can issue a request for information.

If a covered entity fails to respond to a request for information, CISA may follow with a subpoena as necessary to compel disclosure. CISA can also refer matters to the Attorney General for civil proceedings if a company disregards a subpoena. The issuance of a subpoena is appealable to the Director of CISA.

CISA may provide information submitted in response to a subpoena to the Attorney General or the head of a federal regulatory agency if CISA determines that the facts relating to the cyber incident or ransom payment may constitute grounds for criminal prosecution or regulatory enforcement action.

How can companies influence the final regulation?

Once published in the Federal Register on April 4, 2024, the NPRM will be open for public comment for 60 days, making the deadline to submit comments in early June 2024. While commenters are free to submit comment on any portion of the proposed rule, CISA noted that it is particularly interested in receiving public comment regarding, among other items:

• The proposed definition of cyber incident.
• The proposed description of covered entity and the scope of entities to whom the regulation applies.
• The proposed manner, form, and content of required CIRCIA Reports.
• The proposed data and records preservation requirements, including the preservation period.
• The proposed enforcement procedures.

[View source.]