The deadline to submit comments is June 3, 2024.
On March 15, 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law. Generally, CIRCIA requires “covered entities,” defined as entities in certain critical infrastructure sectors, to report to the Cybersecurity and Infrastructure Security Agency (CISA) when they experience certain cyber incidents or make ransom payments in response to a ransomware attack. Certain cyber incidents must be reported within 72 hours after the covered entity reasonably believes the incident has occurred. Ransom payments must be reported within 24 hours of payment.
However, who is required to report, what constitutes a covered cyber incident, and what is required to be reported are not specified in the CIRCIA statutory language. On April 4, CISA published a proposed rule that will clarify the reporting requirements. CISA seeks comments on its proposed regulatory implementation of these reporting requirements. Comments may be submitted by clicking the “Submit a Formal Comment” box at the top of the proposed rule. The deadline to submit comments is June 3, 2024.
The proposed rule requires a covered entity to report substantial cyber incidents and certain ransom payments to CISA. There are four types of covered entity reports that can be made by a covered entity or by a third party on behalf of a covered entity:
The proposed rule defines a “covered entity” as an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21, including chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, and transportation systems.
For “substantial cyber incidents” that must be reported by covered entities, CISA’s proposed rule lists three related definitions:
Cyber incident – An occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system
Covered cyber incident – A “substantial cyber incident” experienced by a covered entity
Substantial cyber incident – A cyber incident that leads to any of the following: (a) substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network; (b) a serious impact on the safety and resiliency of a covered entity’s operation systems and processes; (c) a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or (d) unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise
CISA’s definition of a “substantial cyber incident” includes:
any cyber incident regardless of cause, including, but not limited to, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; a ransomware attack; or exploitation of a zero-day vulnerability.
CISA proposes two explicit exclusions from a “substantial cyber incident”:
(i) any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system including Government entities; and (ii) the threat of disruption as extortion.
In addition to requiring “covered entities” to report “substantial cyber incidents,” the proposed rule also requires “covered entities” to report “ransom payments.” The proposed rule defines ransom payments using the same definition listed in the CIRCIA:
The term ‘‘ransom payment’’ means the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a “ransomware attack.”
The proposed rule also contains updates to the definition of “ransomware attack,” including alterations to the words incident, includes, and demands, so the definition can stand on its own in CIRCIA. A “ransomware attack” is defined as an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial-of-service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment. It does not include payment that “is not genuine; or [that is] made in good faith by an entity in response to a specific request by the owner or operator of the information system.” The intention of these exclusions is to protect organizations who wish to test the vulnerability of their systems to ransomware attacks.
Finally, the proposed rule addresses concerns raised about what CISA will do with the reported information, including how the agency will share data with non-federal stakeholders.
The proposed rule focuses on requiring “covered entities” to provide information to CISA; it does not establish a regulatory regime for directly combating or limiting cyber-attacks. CISA explained that the goal of the proposed rule is to increase the collection of data on cyber-attacks and empower the federal government to formulate more effective responses and protections:
CIRCIA’s legislative history indicates that the primary purpose of CIRCIA is to help preserve national security, economic security, and public health and safety. For example, in December 2021, HSGAC issued a fact sheet on the proposed legislation acknowledging the “serious national security threat” posed by cyberattacks and stating that CIRCIA would help enable a coordinated, informed U.S. response to the foreign governments and criminal organizations conducting these attacks against the United States. Similarly, the U.S. House Committee on Homeland Security (CHS) issued a fact sheet on the proposed legislation stating that CIRCIA would provide CISA and its Federal partners the visibility needed to bolster cybersecurity, identify malicious cyber campaigns in early stages, identify longer-term threat trends, and ensure actionable cyber threat intelligence is getting to the first responders and Federal officials who need it.
…
Both CIRCIA’s legislative history and statutory text highlight a number of more discrete purposes within the broader goals of enhancing national and economic security, and public health and safety. Some examples of these purposes include trend and threat analysis (i.e., the performance of cybersecurity threat and incident trend analysis and tracking, to include the analysis and identification of adversary tactics, techniques, and procedures (TTPs)); vulnerability and mitigation assessment (i.e., the identification of cyber vulnerabilities and the assessment of countermeasures that might be available to address them); the provision of early warnings (i.e., the rapid sharing of information on cyber threats, vulnerabilities, and countermeasures through the issuance of cybersecurity alerts or other means); incident response and mitigation (i.e., rapid identification of significant cybersecurity incidents and offering of assistance—e.g., personnel, services—in incident response, mitigation, or recovery); supporting Federal efforts to disrupt threat actors; and advancing cyber resiliency (i.e., developing and sharing strategies for improving overall cybersecurity resilience; facilitating use of cyber incident data to further cybersecurity research; engagement with software/equipment manufacturers on vulnerabilities and how to close them).