In early April, the Cybersecurity & Infrastructure Security Agency (CISA), within the US Department of Homeland Security, released a Notice of Proposed Rulemaking (NPRM) regarding the implementation of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The NPRM ushers in a new regulatory scheme for certain “covered entities” to timely report specific cybersecurity incidents and ransomware payments to CISA. Because the NPRM contemplates broad applicability, entities spanning a host of infrastructure sectors should become familiar with the requirements in the NPRM, as a significant number of entities will fall within the rule’s grasp.
This article provides high-level overview on the dense regulatory scheme under the NPRM, which provides key details about the scope and implementation of certain CIRCIA requirements. The agency has until September 2025 to issue a final rule, which will probably take effect sometime in mid-2026. In the meantime, interested parties have until June 3, 2024 to submit comments on the proposed rule.
Background
As previously mentioned, the NPRM implements CIRCIA, a two-year-old piece of legislation which, among other things, required CISA to develop regulations regarding reporting requirements for critical infrastructure entities that experience certain cyber incidents.
Specifically, CIRCIA requires "covered entities" to report to CISA within 72 hours of a "covered cyber incident" and within 24 hours of any payment made in response to a ransomware attack. The mandatory reports are meant to allow the agency to (i) administer assistance and deploy resources more quickly when such events occur to these entities, (ii) more effectively share information with network defenders to protect against further harm, and (iii) better analyze cyber incident and ransomware trends across the US. The act is also meant to standardize the federal government's cyber incident reporting requirements, which have previously involved a patchwork of overlapping federal rules and regulations.
The main elements addressed in the NPRM include specific definitions of "covered entities" and "covered cyber incidents" encompassed in the mandate. Below, we briefly discuss how the proposal details each definition. We also summarize information CISA intends to require in the reports according to the NPRM and protections for sensitive information included in the reports.
Covered Entities
CIRCIA defined "covered entities" broadly to mean an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience (PPD-21), which includes all entities that are "critical infrastructure" as defined by the Critical Infrastructures Protection Act of 2001 (the Protection Act). Under the Protection Act, critical infrastructure includes as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” As the NPRM shows, and as outlined under PPD-21, these covered entities fall into 16 infrastructure sectors including:
- Chemical
- Commercial Facilities
- Communications
- Critical Manufacturing
- Defense Industrial Base
- Dams
- Emergency Services
- Energy
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
The NPRM further clarified that a "covered entity" includes critical infrastructure entities that meet additional size or sector requirements. Covered entities do not include most businesses classified as small businesses under the Small Business Administration's (SBA's) Small Business Size Regulation, which uses thresholds based on both employee numbers and annual revenues.
Despite this carve out for small businesses, "covered entities" under the NPRM nevertheless include certain small businesses that operate within critical infrastructure sectors that additionally fulfill specific sector-based criteria. These criteria include entities which:
- Own or operate covered chemical facilities;
- Provide radio or wire communications services;
- Own or operate critical manufacturing infrastructure;
- Provide critical support to the Department of Defense (DoD) or covered defense information;
- Perform emergency services or functions;
- Are bulk electric or distribution systems;
- Own or operate financial services infrastructure;
- Are state, local, tribal or territorial;
- Are education facilities;
- Support elections processes;
- Provide essential public health services;
- Are information technology;
- Own or operate commercial nuclear power reactors or fuel cycle facilities;
- Are transportation systems;
- Are subject to a regulation under the Maritime Transportation Security Act; and/or
- Own or operate community water system or publicly owned treatment works.
Exceptions to "covered entities" also include those that are required to report to other federal agencies under existing regulations, for example, to the Securities and Exchange Commission (SEC) under its 8-K disclosure requirements, to the Federal Trade Commission under its Safeguards Rule, and to the Department of Defense under its Safeguarding Covered Defense Information and Cyber Incident Reporting requirements. Entities that are already required to report to CISA under the Federal Information Security Modernization Act (FISMA) are also excluded.
Covered Cyber Incidents
CIRCIA required CISA to detail what constituted a "covered cyber incident,” and the NPRM proposes that covered incidents be defined as "substantial cyber incident(s) experienced by a covered entity.” The proposed nature of "substantial" is broad, and focuses on an incident's overall impact on an entity rather than the nature of information exposed. The definition includes any incident that results in:
- A substantial loss of confidentiality, integrity, or availability of an entity's information system or network.
- A serious impact on the safety and resiliency of an entity's operational systems and processes.
- A disruption of an entity's ability to conduct business, engage in industrial operations, or deliver goods or services.
- Unauthorized access to an entity's information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either (i) a third-party data hosting provider or (ii) a supply chain compromise.
In addition to CIRCIA's existing list of excluded incidents, the NPRM also excludes: (i) events where the incident is perpetrated in good faith in response to a request from the information system, and (ii) threats of disruption as extortion. The proposal states that authorized activities of a U.S. government entity, including those undertaken pursuant to a warrant, will be excluded from reporting requirements as well.
Reporting Requirements
The NPRM provides more details on what information will be required in the reports CIRCIA established, including both initial and supplemental reports after a covered cyber incident or ransomware payment. For both types of events, entities will have to include:
- Information about themselves, including contact information and sector-classification,
- A description of the incident, including networks and systems affected and technical details,
- A timeline of the incident,
- Any known vulnerabilities that were exploited,
- A description of existing security defensed,
- A description of techniques, tactics, and procedures used in the attack,
- Known indicators of compromise,
- A description of any malware used,
- Any information about the adversary in the attack, and
- A description of how the entity responded to the incident, including any law enforcement agencies or third-party entities involved.
Ransomware reports additionally will have to include information about the payment, payment instructions, and the outcome of such payment. Subsequent reports will be required when new information becomes available to the reporting entities.
These reports will be submitted through the web-based "CIRCIA Incident Reporting Form,” available on the CISA website, within the 72 hour timeframe for covered cyber incidents and 24 hour time frame for ransomware payments. The NPRM also states that after submitting reports, entities will be required to retain all data and records related to the incident, in its original form if possible, for at least two years.
Information Protections
The information submitted to CISA under CIRCIA can be shared with other regulators and federal agencies for cybersecurity safety purposes, but the NPRM includes protections to ensure this information (i) does not expose covered entities to further liability, and (ii) retains any applicable legal privileges. This first protection means that any information received by the government solely through CIRCIA reports cannot be used for any unrelated regulatory actions, and also will not be allowed in other litigation or discovery matters. The latter protection ensures any information designated in reports as "commercial, financial, and proprietary" are treated as such, and will not be subject to any government disclosure laws, like the Freedom of Information Act (FOIA). Further protections involving privacy of individuals is being developed by CISA separately.
Conclusion
While CISA's final rule will take at least a year to work through the rulemaking process, companies should begin evaluating whether they will be considered a covered entity, and if so, if they have the internal policies, procedures, and incident response controls necessary to ensure compliance CISA’s implementation of CIRCIA once the rule takes effect.
You can also check out the full NPRM on the Federal Register here, the Congressional Research Service's Brief of the NPRM here, or CISA's CIRCIA information page here.