The Cybersecurity and Infrastructure Security Agency (CISA) issued a request for information (RFI) on the new cyber incident reporting requirements for critical infrastructure owners as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
CIRCIA was signed into law by President Joseph Biden in March 2022 and will require critical infrastructure owners to report certain cybersecurity incidents to CISA within 72 hours and to report ransom payments in response to a ransomware attack within 24 hours. Critical infrastructure owners may also need to submit supplemental reports to CISA as new information is uncovered. CIRCIA tasks CISA with developing and implementing the regulations that will govern those reporting obligations following an administrative rulemaking that CISA must initiate by March 2024. The RFI, which was published in the Federal Register on September 12, 2022, is intended to gather the information needed to assist CISA in preparing that rulemaking.RFI Topics
The RFI provides a non-exhaustive list of topics for comment, including the following key areas:
- Key Definitions and Scope: CIRCIA applies to “covered entities” within the 16 critical infrastructure sectors recognized by the Department of Homeland Security. The RFI asks how to define a “covered entity” to which the rules will apply, as well as the criteria for triggering events under the statute. For example, CISA seeks input on defining “substantial cyber incidents,” “ransomware payments,” or other disruptions (including third-party service provider and supply chain compromises) that will trigger a covered entity’s reporting obligations.
- Starting the “Clock”: A common challenge for companies with time-dependent cyber incident reporting obligations is determining when the clock starts. Cyber incident responses are often fluid and rapidly evolving situations. In some cases, affected entities may need hours or days of investigation to determine whether a potential incident is benign or a reportable cyber incident. The RFI seeks recommendation on what could constitute a covered entity’s reasonable belief that a triggering cyber incident has occurred, thereby initiating the 72-hour deadline for reporting. The RFI also seeks input on when the 24-hour deadline for reporting ransom payments begins.
- Reporting Content and Process: The RFI seeks suggestions on how covered entities should submit the information required under CIRCIA, including the specific information that must be in the reports, recognizing that CISA may facilitate sharing of the reported information with federal partners.
- Overlapping Reporting Obligations: Many covered entities are already subject to mandatory cyber incident reporting requirements, at both the federal and state levels. The RFI seeks further input on what those competing reporting obligations may be and the extent to which they overlap, or conflict, with CIRCIA’s reporting requirements.
Other topics in the RFI include the following:
- What criteria CISA should consider for mandatory supplemental reporting, and how covered entities can comply with that obligation;
- Information sharing and advising other covered entities impacted by a ransom payment;
- When a third-party entity may submit a covered cyber incident report or ransom payment report on behalf of a covered entity;
- Key data points, such as cost burdens associated with mandatory cyber incident reporting and estimates on the number of ransom payments covered entities will likely make on an annual basis; and
- Information policies and procedures, such as enforcement procedures and information protection policies, that will be required for implementation of the regulations.
CISA’s cyber incident reporting regulations have the potential to significantly impact the way critical infrastructure owners handle potential incidents and coordinate with third parties. Critical infrastructure owners and relevant third-party service providers alike should consider participating in the RFI process or monitoring CISA’s efforts as the agency transitions into a formal rulemaking proceeding.
The deadline to submit written comments in response to the RFI is November 14, 2022. In addition, CISA will be hosting public “listening sessions” around the country to solicit direct feedback on the new regulatory framework.