Alert issued by CISA for the anticipated mandatory reporting rules concerning critical infrastructure assets
The Cybersecurity and Infrastructure Security Agency (CISA) has announced a proposed rule for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This rule aims to improve the understanding of threats, spot adversary campaigns earlier, and facilitate more coordinated action with partners in response to cyber threats within 16 critical infrastructure sectors.
The formal publication of the notice is scheduled for April 4, and the Department of Homeland Security has already posted the unpublished notice for public inspection on the Federal Register site. The 16 critical sectors include Chemical, Commercial facilities, Communications, Critical manufacturing, Dams, Defense industrial base, Emergency services, Energy, Financial services, Food and agriculture, Government facilities, Healthcare and public health, Information technology, Nuclear, Transportation, and Water and wastewater systems.
CIRCIA defines a "Covered Entity" as any entity that is part of these sectors, with further criteria specified in subsequent implementing rules by CISA. Notably, if any constituent part of a corporate entity meets the criteria, the entire entity is considered covered, meaning cyber incidents affecting any part of the organization are reportable under CIRCIA. The rule also extends to some third-party service providers supporting these critical infrastructure sectors.
Under CIRCIA, covered entities will be required to report significant cyber incidents within 72 hours of discovery. UnitedHealth Group, central to the recent cyberattack at Change, would be considered a critical infrastructure provider under the current definitions.
The proposed rule is estimated to cost $2.6 billion over the period of analysis. A 60-day comment period will be initiated after the formal publication of the notice, allowing for written responses from the public.
Analysts anticipate further debate about which entities will be fully required to comply under the new rule. One notable case is Change Healthcare, responsible for the recent cyberattack that nearly brought down the entire healthcare sector, which may not fall under the current framework.
CISA Director Jen Easterly stated that CIRCIA is a game changer for the cybersecurity community, as it will allow for better sharing of vital details with industry and government partners, thereby improving the overall coordination of critical infrastructure threat responses. Katell Thielemann, Distinguished VP analyst at Gartner, echoes this sentiment, stating that the rule is a significant step towards enhancing the nation's cybersecurity posture.
[1] Critical Infrastructure Sectors: https://www.cisa.gov/critical-infrastructure [2] Cyber Incident Reporting for Critical Infrastructure Act of 2022: https://www.congress.gov/bill/117th-congress/senate-bill/3849
- The forthcoming Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule, by CISA, will mandate covered entities, including those in the sectors of chemical, commercial facilities, communications, critical manufacturing, and others, to report significant ransomware attacks within 72 hours of discovery, in an effort to enhance cybersecurity and response coordination.
- The extension of the CIRCIA rule to some third-party service providers supporting critical infrastructure sectors illustrates the importance of technology in the fight against ransomware attacks, as it requires these providers to facilitate timely reporting and collaboration with government and industry partners, improving the overall cybersecurity posture of the nation.
