CIRCIA: Does Cyber Incident Reporting Apply to You?

Share On Facebook
Share On Twitter
Share On Linkedin

Disclaimer: This blog offers general information and should not be considered legal advice. Consult your own legal counsel for specific advice.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law by President Biden in 2022. Its goal is to strengthen the cybersecurity posture of the United States by establishing more robust incident reporting requirements for critical infrastructure entities. A key requirement of CIRCIA is for the Cybersecurity and Infrastructure Security Agency (CISA) to develop regulations to implement the law.

On April 4, 2024, CISA published a Notice of Proposed Rulemaking (NPRM), setting out such proposed regulations and seeking public input. Unless the comment period is extended, the public will have 60 days to submit written comments, and CISA will have 18 months to issue a final rule, which is anticipated to come into effect in early 2026.

Who is in Scope for Reporting?

Covered entities include any organization within critical infrastructure sectors that exceed small business size standards (based on industry-specific SBA standards) and any entity, regardless of size, that falls into proposed sector-based criteria within a critical infrastructure sector. CISA estimates that upwards of 316,000 organizations will be considered “covered entities” under this rule.

The critical infrastructure sectors include:

  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors, Materials, and Waste
  • Transportation Systems
  • Water and Wastewater Systems

CISA referenced the Presidential Policy Directive 21 for the list of these 16 critical infrastructure sectors. It elected not to propose sector-specific criteria for 3 sectors (Commercial Facilities, Dams, and Food & Agriculture). Organizations that don’t exceed the small business standards could still be subject to the rule if they meet one or more sector-specific criteria across the other 13 critical infrastructure sectors. For example, Information Technology companies providing IT hardware, software systems, or services to the federal government would fall within the requirements regardless of their size. CISA intends to publish additional guidance with the final rule to help organizations better understand whether they are part of a critical infrastructure sector.

What Triggers a Report?

A covered cyber incident is defined as a cyber incident that leads to any of the following impacts:

  1. Substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network.
  2. Serious impact on the safety and resiliency of a covered entity’s operational systems and processes.
  3. Disruption of a covered entity’s ability to engage in business or industrial operations or deliver goods or services.
  4. Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, facilitated through or caused by a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider, or by a supply chain compromise.

Covered entities that make a ransomware payment must also report.

Reporting Timelines

Under the proposed rule, covered entities will be required to report to CISA within 72 hours after they reasonably believe a covered cyber incident has occurred, and within 24 hours after a ransomware payment is disbursed. There are also requirements to update these reports.

CISA is proposing a web-based “CIRCIA Incident Reporting Form” that they plan to make available. The report must include specific types and categories of information relating to the incident, depending on whether it is a Covered Cyber Incident Report or a Ransom Payment Report.

CISA indicates it will work with other federal agencies to find opportunities to reduce duplicative reporting by allowing organizations required to report similar information in similar timeframes to avoid reporting it again under CIRCIA.

Acknowledging the often-sensitive nature of these reports, the proposed rule states that a covered entity will not be required to waive applicable privilege or protection by submitting a report, and such reports are not subject to disclosure under public records laws such as the Freedom of Information Act.

Preparing for Compliance

Companies subject to the proposed rule should take several steps to prepare for it to become final:

  1. Stay Informed: Regularly monitor updates from CISA regarding the rulemaking process, and the final rule when it’s published. Understand the reporting requirements and timelines.
  2. Review Incident Response Plans: Evaluate existing incident response plans and ensure they align with the reporting requirements. Be prepared to update procedures to include timely reporting of covered cyber incidents and ransomware payments within the required timeframes.
  3. Incident Detection and Monitoring: Strengthen monitoring tools and processes to detect cyber incidents promptly (or ideally prevent them from happening at all).
    • Data Gathering: Ensure your tools are collecting detailed information about your systems and environment to enhance your ability to prevent or detect cyber incidents, and to use for reporting purposes.
  4. Vendor and Third-Party Agreements:
    • Review Contracts: Evaluate agreements with vendors and third parties to ensure alignment with reporting obligations.
    • Include Reporting Clauses: Consider adding clauses requiring timely incident reporting in contracts.
  5. Voluntary Sharing of Information: While reporting under CIRCIA is not mandatory until the final rule goes into effect, consider voluntarily sharing information about cyber incidents with CISA.
    Early sharing helps prevent other organizations from falling victim to similar incidents and aids in identifying trends.

Remember that CISA’s proposed rule is open for public comment until June 3, 2024. Organizations can provide feedback during this period, which will be considered in developing the Final Rule.

Infoblox SOC Insights allows customers to identify, monitor, and analyze threat actors and their activities on their networks. For more information, click here or contact an Infoblox representative.

Labels:

Chris Herbst

Deputy General Counsel at Infoblox

Chris is a seasoned technology attorney and leader. His role at Infoblox spans across pivotal areas including Product, Engineering, IP, Privacy, Marketing, and Procurement, where he leverages his extensive experience to guide Infoblox through the evolving legal landscape. With a career that has seen notable roles at VMware, Broadcom, CA Technologies, and IBM, Chris's journey is one of continual learning and adaptation. His Computer Science degree, complemented by ScrumMaster (CSM) and Information Privacy Technologist (CIPT) certifications, helps him to bridge the gap between the technical and legal worlds. LinkedIn Profile

View All Posts

You might also be interested in

You might also be interested in

×