On April 4, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published its much-anticipated Notice of Proposed Rule Making for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
CIRCIA was signed into law in March 2022 in response to a growing number of cyber threats and attacks on entities operating within certain critical infrastructure sectors. Under CIRCIA, companies within 16 identified critical infrastructure sectors will be required to report substantial cyberattacks within 72 hours “after the company reasonably believes the incident has occurred.” Ransomware payments must also be reported within 24 hours of being made. Companies must also retain certain documentation for a two-year period following the incident.
CISA’s 447-page Proposed Rule sets out the criteria for which companies are covered and which incidents must be reported.
Who Must Report?
CIRCIA defines a “covered entity” based on 16 critical infrastructure sectors, including communications, education, emergency services, financial services, public health, IT, and transport. The Proposed Rule offers supplemental sector-based criteria for some specific industries, including chemicals, communications, critical manufacturing, defense contracting, emergency services, financial services, government facilities, healthcare and public health, IT, nuclear, transportation, and water and wastewater.
The Proposed Rule provides a series of criteria for whether critical infrastructure sectors will be required to report incidents. Perhaps the most significant criterion for qualification is that the Proposed Rule covers only entities that exceed the small business size standard specified by the U.S. Small Business Administration’s Small Business Size Regulations. Within certain sectors, however, the criteria are more specific. For example, under the Proposed Rule, healthcare facilities with fewer than 100 beds are not required to report incidents, except that “critical access” hospitals would be required to report.
CISA has indicated that it expects somewhere between 300,000 and 350,000 companies will be required to report under CIRCIA, and it anticipates receiving around 25,000 reports each year.
What Must Be Reported?
The Proposed Rule generally requires companies to report “substantial” cyber incidents within 72 hours and ransom payments within 24 hours. A cyber incident is “an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system.”
A cyber incident would be “substantial,” and thus reportable if it leads to:
- A substantial loss of confidentiality, integrity, or availability of an information system or network.
- A serious impact on the safety and resiliency of operational systems and processes.
- A disruption of a company’s ability to engage in business or industrial operations or deliver goods or services.
- Unauthorized access to information systems or networks, or any nonpublic information contained therein, that is facilitated through or caused by: (1) a compromise of a cloud-service provider, managed-service provider, or other third-party data hosting provider; or (2) a supply chain compromise.
Examples of substantial cyber incidents include:
- A distributed denial-of-service (DDoS) attack that renders a company’s services or goods unavailable to customers for an extended period of time.
- A cyber incident that encrypts a core business or information system.
- Unauthorized access to a company’s business systems using compromised credentials from a managed-service provider.
But, not every incident will be reportable under the Proposed Rule. For example, a DDoS attack that only results in a brief period of unavailability of a company’s website that does not provide critical functions or services to customers would not require a report. Nor would a cyber incident that results in only minor disruptions or the compromise of a single user’s credentials. Neither would malicious software being downloaded if anti-virus software successfully precludes it from executing.
So, for example, a DDoS attack that only temporarily stops customers from visiting a company’s website wouldn’t qualify as substantial, whereas a similar DDoS attack with significant downtime for critical functions would meet the criteria.
What Happens for Failure to Report?
The Proposed Rule also grants CISA authority to issue subpoenas to companies compelling disclosure of information “if there is reason to believe that the entity experienced a covered cyber incident or made a ransom payment but failed to report the incident or payment.” If a company fails to comply or provides an inadequate or false response, CISA may refer the inquiry to the U.S. Department of Justice to bring a civil action or pursue acquisition penalties, suspension, or debarment.
What’s Next?
The Proposed Rule is open for public comment until June 3, 2024. CISA will then have 18 months, until October 4, 2025, to make any modifications and publish its Final Rule. While companies will not be required to report cyber incidents or ransom payments until the Final Rule goes into effect, CISA has encouraged all companies to voluntarily share information in the interim.