On March 27, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) within the US Department of Homeland Security released a much-anticipated notice of proposed rulemaking (NPRM) to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Under the proposed rule, covered entities will have 72 hours to report to CISA a “covered cyber incident” and 24 hours to report a ransom payment (even if it is not a payment associated with a covered incident). The proposed rule, if adopted in its current form, will substantially expand on existing US cyber incident reporting requirements and have important implications for how relevant companies respond to cyber incidents. CISA expects to publish a final rule by late 2025, with reporting likely beginning in 2026.
Interested parties will have 60 days from the publication date (currently scheduled for April 4, 2024) to submit comments (making the deadline June 3, 2024). In addition to the text of the rule, the NPRM contains more than 300 pages of commentary on the background and purpose of the rule, comments received from stakeholders, and rationale for specific elements of the rule. The commentary also includes specific requests for comments on various aspects of the rule such as the content of reports, data preservation requirements, and enforcement mechanisms.
We summarize the key elements of the proposed rule below.
COVERED ENTITIES
The rule would apply to entities in a critical infrastructure sector that either (1) exceed the small business size standard or (2) meet a sector-based criterion. CISA estimates that, based on the current criteria, more than 316,000 entities would be covered under the rule.
In a critical infrastructure sector: CISA interprets this term to mean that an entity is in one of the 16 critical infrastructure sectors enumerated in Presidential Policy Directive 21 (PPD 21). CISA recommends that entities review available guidance, including publicly available sector plans for each critical infrastructure sector, to determine whether they are covered entities. While this determination process will be straightforward for most entities, CISA will conduct an outreach and education campaign to inform entities that are likely “covered entities.” CISA states that “the overwhelming majority of entities, though not all, are considered part of one or more critical infrastructure sectors.” Notably, CISA emphasized that it did not limit the scope of entities “in a critical infrastructure sector” to owners or operators of critical infrastructure.
Exceed the small business size standard: All entities that are in a critical infrastructure sector and are not a small business are covered entities subject to the rule. The rule looks to the small business size regulations created by the Small Business Administration to identify when a business is no longer a small business.
Meet a sector-based criterion: CISA also intends to cover small businesses that own and operate critical infrastructure in the scope of the rule. To that end, CISA has included additional sector-based criteria in the rule that bring certain small businesses within the scope of the rule. CISA has included sector-based criteria for 13 of the 16 critical infrastructure sectors. These criteria encompass defense contractors, financial services firms, certain manufacturing entities, information technology firms, communication services providers, transportation and utility entities, schools, and other entities.
COVERED OR SUBSTANTIAL CYBER INCIDENT1
Covered entities would be required to report a “substantial cyber incident,” which is defined as an incident that leads to any of the following:
(1) A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
(2) A serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
(3) A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
(4) Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by a:
(i) Compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; or
(ii) Supply chain compromise
The proposed rule notes that a cyber incident qualifies as “substantial” based on the impacts listed in paragraphs (1) through (3), regardless how it was caused (i.e., whether through a sophisticated, multi-step compromise of a third-party provider or supply chain compromise, on the one hand, or a more common denial-of-service or ransomware attack, on the other).
The rule does not explicitly differentiate incidents based on what type of system or data was targeted or where the system is geographically located. In the commentary in the NPRM, CISA provides examples of incidents that would likely qualify as substantial cyber incidents, including “any cyber incident that encrypts one of a covered entity’s core business systems or information systems,” “the exploitation of a vulnerability resulting in the extended downtime of a covered entity’s information system or network,” and “a ransomware attack that locks a covered entity out of its industrial control system.”
In contrast, “cyber incidents that result in minor disruptions, such as short-term unavailability of a business system or a temporary need to reroute network traffic,” or an instance when “malicious software is downloaded to a covered entity’s system, but anti-virus software successfully quarantines the software and precludes it from executing” would likely not qualify as substantial cyber incidents, according to CISA.
REPORTING REQUIREMENTS
Timing
Covered entities must report covered cyber incidents to CISA no later than 72 hours after the covered entity reasonably believes the covered cyber incident has occurred. Commentary on the rule sets out an expectation that, in most cases, any preliminary analysis required to establish a “reasonable belief” should be undertaken “as soon as reasonably practicable after becoming aware of an incident,” “should be relatively short in duration (i.e., hours, not days),” and “generally would occur at the subject matter expert level and not the executive officer level.”
Covered entities must report ransom payments no later than 24 hours after the ransom payment has been sent. Ransom payments must be reported regardless of whether the underlying incident is a covered cyber incident or whether the payment was made by a third party on behalf of the entity.
Web-based Form
The NPRM contemplates that a covered entity will be able to submit a CIRCIA Report (on either a covered cybersecurity incident or ransomware payment) through a “web-based CIRCIA Incident Reporting Form available on CISA’s website.”
Information Required
Both types of reports require information on items such as the technical details of the incident, categories of information believed to have been accessed or acquired, vulnerabilities exploited, the entity’s security protocols, the impact of the incident on operations, indicators of compromise, identifying information about the attacker, and identification of any law enforcement responding to the incident. Ransomware reports also require information on the payment demand, amount and type of assets used in the payment, identity of the recipient, virtual currency address, transaction identifier, and outcome of the payment.
If a covered entity uncovers substantial new or different information about the incident, including information that was required to be included in the report but the entity did not have at the time of the submission, it must promptly submit a supplemental report to CISA with that information.
“Substantially Similar” Reporting Exception
Covered entities may be excepted from submitting CIRCIA Reports if they are subject to the cyber incident reporting requirements of a different agency and CISA enters into an agreement with that agency acknowledging that the reporting requirements are “substantially similar” and that there is an information-sharing mechanism in place. Until there is an agreement, the covered entity must comply with the reporting requirements.
TREATMENT OF REPORTS & LIABILITY PROTECTION
A covered entity does not waive any applicable legal privilege as a consequence of submitting a CIRCIA Report or responding to a request for information (RFI). CIRCIA Reports are also exempt from disclosure under FOIA and other comparable local, state, and federal laws. A covered entity must designate its CIRCIA Report or response as “commercial, financial, and proprietary information” if it desires that CISA treat it as such.
The NPRM provides, as reflected in CIRCIA, that no cause of action may lie and shall be promptly dismissed if it is “solely based on the submission of a CIRCIA Report or a response provided to a request for information.” This protection does not impact the entity’s potential liability for the underlying incident. CIRCIA Reports, responses to RFIs, and communications or materials created for the sole purpose of submitting CIRCIA Reports or responses may not be received in evidence, subject to discovery, or used in any proceeding. Although CISA has signaled an intent to share the CIRCIA Reports widely, government bodies are also prohibited from using information “obtained solely through a CIRCIA Report (…) or a response provided to a request for information” to regulate the activities of a covered entity.
DATA PRESERVATION
Regardless of whether a covered entity submits a CIRCIA Report or is eligible for an exception from reporting, it must preserve data and records related to the covered incident or ransom payment for no less than two years from the date of submission or the date the submission would have been required.
ENFORCEMENT
The Director of CISA may issue an RFI to a covered entity if there is reason to believe that the entity has failed to submit a required report. If the entity does not respond by the deadline or its response is inadequate, the Director may request additional information or may issue a subpoena to compel information. An entity that fails to comply with a subpoena may be subject to a civil action for injunctive relief to enforce the subpoena. Any person who makes a false statement or representation in connection with a CIRCIA Report may face criminal penalties under 18 U.S.C. §1001. In the commentary, CISA notes that it “would not consider scenarios where a covered entity reports information that it reasonably believes to be true at the time of submission, but later learns through investigation that it was not correct and submits a Supplemental Report reflecting this new information, to constitute a false statement or representation.”
CISA’S USE OF REPORTS
Though not expressly addressed in the text of the proposed rule, CISA notes in the commentary that CIRCIA imposes “requirements related to the analysis and sharing of information received through CIRCIA reports to ensure their value is reasonably maximized.” CISA will aggregate and analyze CIRCIA Reports to assess the effectiveness of security controls and enhance situational awareness of cyber threats across critical infrastructure sectors. In addition, CISA will share information with relevant federal agencies to identify and track ransom payments, provide insights to other governmental and security-focused organizations, and publish quarterly reports with aggregated findings.
FURTHER IMPLEMENTATION
CISA expects to publish a final rule by late 2025, with reporting likely beginning in 2026. CISA anticipates needing an annual budget of approximately $115.9 million to cover functions associated with CIRCIA and notes that its budget request will include funding for additional federal staff, contractor support, and new technology.
1 The NPRM defines a “covered cyber incident” as “a substantial cyber incident experienced by a covered entity.”
[View source.]
