On April 4, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) proposed regulations that would create reporting requirements for cyber incidents experienced by critical infrastructure entities. The proposal, a requirement of the 2022-enacted Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”), would create a scheme whereby covered entities would be subject to the new reporting requirement if they experience a substantial cyber incident or make a ransomware payment as a result of a ransomware attack. Comments on the proposed rule are due by June 3, 2024.
Covered Entities
All entities in the critical infrastructure sectors are included in the covered entity definition unless designated a “small business” by the Small Business Administration. The 16 critical infrastructure sectors, per Presidential Policy Directive (PPD-21), includes financial services, communications, information technology, commercial facilities, critical manufacturing, and transportation services. Small businesses can still be included as covered entities if they meet sector-based criteria laid out in the proposal. The rule proposal carves out a set of Domain Name System entities from inclusion as covered entities.
Substantial Cyber Incident
Impact Threshold
The proposed definition of substantial cyber incident is triggered if either (1) an impact threshold is met or (2) unauthorized access through a specified third-party entity or supply chain compromise occurs.
The impact threshold for substantial cyber incident designation is met when, regardless of cause, a cyber incident leads to:
- A substantial loss of confidentiality, integrity or availability of a covered entity’s information system or network;
- A serious impact on the safety and resiliency of a covered entity’s operational systems and processes; or
- A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services.
While the discussion section of the rule proposal does provide a list of “Incidents That Likely Would Not Qualify as Substantial Cyber Incidents”, this list is limited to examples where an entity only experiences minor disruptions or where security controls and remediation protocols promptly neutralize the risks associated with a cyber incident.
Explicitly Included Cyber Incident Causes
The rule proposal expounds that cyber incidents caused by any of the following events do trigger reporting requirements when the impact threshold is met:
- compromise of a cloud service provider;
- compromise of a managed service provider;
- compromise of another third-party data hosting provider;
- a supply chain compromise;
- a denial-of-service attack;
- a ransomware attack; or
- exploitation of a zero-day vulnerability.
Reporting Requirements
In accordance with CIRCIA, the draft language contemplates mandatory reporting requirements: (1) 72 hours after a covered entity “reasonably believes” that a covered cyber incident has occurred; and (2) 24 hours after ransom payment(s) have been made in response to a ransomware attack. A Joint Covered Cyber Incident and Ransom Payment Report will be made if a ransomware payment has been disbursed by the covered entity prior to the 72-hour deadline for the initial reporting of the covered cyber incident.
Reporting Waiver for Covered Entities with Multiple Requirements
The draft proposal creates a mechanism whereby covered entities which are already required to report relevant cyber incident information to a separate regulator may be waived from notifying CISA directly. The proposal would create “CIRCIA Agreements” which can be entered into by CISA and another Federal agency, at CISA's determination.
Information Requests and Subpoenas
The Director of CISA is granted the ability to issue information requests and subpoenas in the event of an insufficient response to such a request. The information requests are allowed if the Director has reason to believe that a covered entity experienced a covered cyber incident or made a ransom payment but failed to report it.
Other Key Elements
Records Preservation Requirement
Data and records preservation requirements of the proposal would mandate that information relevant to a covered cyber incident be preserved for at least two years from the date that a reporting obligation starts.
Liability Protections
The proposal does create liability protections whereby litigation solely based on the submission of a CIRCIA Report or a response to a request for information must be promptly dismissed by the court.
“Information Systems” Definition
The proposed language expands on prior definitions of “information systems” to explicitly include operational technology systems such as industrial control systems and programmable logic controllers. The term is used in the reporting criteria requirements of the proposal and its implementation may call for additional information gathering for covered entities accustomed to solely reporting on incidents relating to and affecting software.
Implementation Timeline
CISA currently estimates the Final Rule to be published in late 2025 and for implementation of the regulations to begin in 2026.
Active Preparation
Companies in the critical infrastructure sectors can assess the potential impact of these proposed regulations by examining how the “Substantial Cyber Incident” definition and reporting requirements in the proposal would map to their current incident detection and response protocols. Because the proposed reporting requirements are triggered by an impact threshold, companies defined as covered entities should consider the incorporation of the downstream effects of a cyber incident into their risk review and rating processes. Covered entities should apply a proper scope in assessing which impacts may activate the reporting requirements. The proposed language initiates a reporting requirement when a cyber incident lead(s) to one of the enumerated impacts. In practice, this creates a lower reporting threshold than requiring a report when an impact is caused by a cyber incident.
