Federal agency CISA sets new standards for mandatory reporting of critical infrastructure issues
The Cybersecurity and Infrastructure Security Agency (CISA) has posted a notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This new legislation, scheduled for formal publication on April 4, aims to enhance the nation's cybersecurity by requiring entities operating in critical infrastructure sectors to report significant cyber incidents within 72 hours of discovery.
CIRCIA primarily targets entities whose disruption could pose significant risks to public health, safety, or national security. While the exact sectors under CIRCIA are not exhaustively listed, sectors such as energy, water and wastewater systems, healthcare and public health, transportation, communications and information technology, financial services, emergency services and government services, and other sectors integral to national security and public safety are likely to be included.
Water and wastewater utilities, in particular, have been explicitly mentioned as being subject to CIRCIA reporting requirements. Entities covered must meet several key requirements, including reporting covered cyber incidents within 72 hours, reporting ransom payments within 24 hours, preserving related evidence for at least 2 years, and ensuring well-rehearsed response plans and effective communication channels.
The proposed rule is expected to affect more than 316,000 entities, and the cost of implementation is estimated to be $2.6 billion over the period of analysis. The public comment period for written responses will last for 60 days, providing an opportunity for entities to voice their concerns or suggestions about the new rule.
However, there may be further debate about which entities will be fully required to comply under the new rule. For instance, it's not clear whether claims processor Change Healthcare, which caused widespread disruption in the healthcare sector due to a recent attack, would be covered under the current framework.
CIRCIA is anticipated to allow for better understanding of threats, earlier spotting of adversary campaigns, and more coordinated action with partners in response to cyber threats. By facilitating federal authorities' coordination of critical infrastructure threat responses, CIRCIA is a game changer for the cybersecurity community, as stated by CISA Director Jen Easterly.
For exact sector listings and entity-level applicability, checking official DHS or CISA guidance on CIRCIA is advisable. The Department of Homeland Security posted the unpublished notice for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 on the Federal Register site for public inspection on Wednesday.
- given the ongoing challenge posed by ransomware attacks in the technology sector, entities in the communications and information technology sector, as they are likely included in CIRCIA, are expected to report significant cyber incidents within 72 hours of discovery.
- Under CIRCIA, entities such as water and wastewater utilities and financial services, which could cause significant risks to national security and public safety, must provide details of ransom payments within 24 hours if they are victims of ransomware attacks.
