CISA Releases Proposed Cyber Incident and Ransom Payment Reporting Rules to Implement CIRCIA
CISA's proposed rules will require organizations operating in U.S. critical infrastructure sectors to report cyber incidents within 72 hours and ransom payments within 24 hours.
On March 27, 2024, the Cybersecurity and Infrastructure Security Agency ("CISA") of the Department of Homeland Security ("DHS") announced its Notice of Proposed Rulemaking (the "Proposed Rule") to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 ("CIRCIA"). The Proposed Rule will mandate critical infrastructure entities to report "substantial" cyber incidents and ransom payments. If adopted in its current form, the Proposed Rule would be one of the most sweeping federal cybersecurity incident-reporting regulations.
Covered Entities
The Proposed Rule would apply to an entity in one of 16 critical infrastructure sectors enumerated in Presidential Policy Directive 21 that either exceeds the small business size standard or meets a sector-based criterion. These sector-based criteria exist for 13 of the 16 critical infrastructure sectors and encompass defense contractors, financial services firms, certain manufacturing entities, information technology firms, communication services providers, transportation and utility entities, and others. CISA estimates more than 316,000 entities would be covered entities, including owners and operators of critical infrastructure and their supporting entities. Where it is not obvious that an entity operates in a critical infrastructure sector, CISA recommends reviewing public guidance to determine whether the Proposed Rule applies.
Covered Cyber Incidents
The Proposed Rule defines "Covered Cyber Incidents" as "substantial" cyber incidents that result in: (i) substantial loss of confidentiality, integrity, or availability of an information system or network; (ii) serious impact on the safety and resiliency of operational systems and processes; (iii) disruption of the ability to engage in business or industrial operations, or deliver goods or services; or (iv) unauthorized access to information systems or networks, or any nonpublic information contained therein, facilitated through or caused by compromise of a cloud service provider, managed service provider, or other third-party data hosting provider, or supply chain compromise. A cybersecurity incident is "substantial" if it meets the criteria in items (i) through (iii) above, regardless of its cause. The Proposed Rule does not differentiate Covered Cyber Incidents based on the type of system or data affected, and applies without regard to where the system is geographically located.
Under the Proposed Rule, CISA would have robust enforcement authority, including issuing requests for information and subpoenas, and referring noncompliance to DHS and the Attorney General for administrative, criminal, or civil enforcement.
Entities in critical infrastructure sectors should carefully review the Proposed Rule to determine their applicability and ensure alignment with its incident-reporting requirements.
