Tech & Sourcing @ Morgan Lewis


In March 2022, President Joseph Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which tasked the Cybersecurity and Infrastructure Security Agency (CISA) with developing and implementing regulations around cyber incident and ransom payment reporting. Under the act, the CISA is to gather the information it receives from covered entities and analyze it to the extent that such information can be used to help identify ways to avoid similar incidents in the future, or minimize the harmful potential impacts.

On September 9, 2022, CISA announced that it would be issuing a Request for Information (RFI) to gather input and comments on the development of the reporting regulations, which will enable CISA to respond effectively to cyber incidents and facilitate a coordinated approach to preventing or mitigating similar incidents moving forward. In tandem with the RFI, CISA will also be holding listening sessions across the country to provide a forum for the general public to give feedback on the regulations. Comments may address topics including, without limitation, definitions, reporting contents, reporting procedures, and information sharing practices. Before issuing a final rule, CISA will consider the public input gathered from the upcoming listening sessions and then publish a notice of proposed rulemaking.

Through the act, CISA aims to provide an avenue for targeted entities to receive support and assistance from government agencies, and produce reports to CISA “related to a covered cyber incident to assess the effectiveness of security controls, identify tactics, techniques, and procedures adversaries use to overcome those controls and other cybersecurity purposes, including to assess potential impact of cyber incidents on public health and safety to enhance the situational awareness of cyber threats across critical infrastructure sectors.” The act also allows CISA to monitor ransom payments associated with cyber incidents and share the information it gathers with federal agencies in order to provide assistance and respond appropriately.

Listening sessions will be conducted throughout the fall and will be followed by a Notice of Proposed Rulemaking, which will contain CISA’s proposed regulations for cyber incident and ransom payment reporting.