In May 2021, Colonial Pipeline, a privately held oil pipeline responsible for nearly half of the oil supply for the U.S. East Coast, was crippled by a DarkSide ransomware attack.¹ DarkSide is widely believed to be a Russian-based cybercriminal enterprise. Two days into the incident, President Joe Biden declared a state of emergency, which led to national fear of a gas shortage, panic buying, price spikes and gas lines. People were storing gas in trash bags and other unsafe containers, requiring the government to issue a warning about the dangers of these practices. Colonial Pipeline paid a $4.4 million ransom to DarkSide in exchange for a decryption key, partly because there was no sense of the impact when all systems were offline or how long it might take to recover without the decryption key.² All in all, the systems moving oil were only offline for five days, but the cascading effects on airline travel and consumer panic highlighted the vulnerability of U.S. infrastructure. While cyberattacks on the nation’s infrastructure are not new, this event accelerated the U.S. government’s efforts to address how the immediate and long-term harm caused by cyberattacks threaten national security.

In response to the ransomware attack on Colonial Pipeline, in March 2022 Congress passed, and Biden signed, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 to emphasize the importance of information sharing through mandated reporting of substantial cyber incidents and ransom payments by certain organizations.

What is CIRCIA?

At a high level, CIRCIA requires the Cybersecurity and Infrastructure Security Agency to create a clear set of regulations that mandate covered entities (1) to report covered cyber incidents and (2) to report ransomware payments to CISA on an expedited basis. CISA has several years to develop and finalize these regulations; however, these initiatives are executive priorities and the timeline to the final rule may be accelerated. From September to November 2022, CISA held a series of public listening sessions across the country to gather input and feedback on definitions, scope, triggers and procedures for covered entities reporting covered incidents, prior to the eventual publication of a “Notice of Proposed Rulemaking and Final Rule.”

The act requires CISA to develop regulations around several requirements related to the reporting and sharing of covered cyber incidents, including the following:

• Cyber incident reporting requirements: Covered entities must report to CISA any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
• Federal incident report sharing: Any federal entity receiving a report on a cyber incident after the effective date of the final rule must share that report with CISA within 24 hours. CISA will also have to make information received under CIRCIA available to certain federal agencies within 24 hours.
• Cyber Incident Reporting Council: The U.S. Department of Homeland Security must establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate, de-conflict and harmonize federal incident reporting requirements.³

The act additionally authorizes several initiatives related to combating ransomware to include the following:

• Ransom payment reporting requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments as a result of a ransomware attack. CISA must share such reports with federal agencies.
• Ransomware vulnerability warning pilot program: CISA must establish a pilot program to identify systems with vulnerabilities to ransomware attacks and may notify the owners of those systems.
• Joint Ransomware Task Force: CISA has announced the launch of the Joint Ransomware Task Force in accordance with the statute to build on the important work that has already begun to coordinate an ongoing nationwide campaign against ransomware attacks. CISA will continue working closely with the FBI and the national cyber director to build the task force.⁴

CISA’s goals are to “enhance the quality and effectiveness of information sharing and coordination efforts with appropriate entities” and “provide appropriate entities with timely, actionable[] and anonymized reports of cyber incident campaign[s] and trends, related contextual information threat indicators, and defensive measures.”⁵

What industries and cybersecurity incidents are covered by CIRCIA?

CIRCIA regulates “covered entities,” which are public and private organizations within industry sectors considered to be “critical infrastructure” as defined in Presidential Policy Directive 21. In total, PPD-21 designated 16 critical infrastructure sectors whose assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on national security, national economic security, national public health or safety, or any combination thereof.⁶

When most people think about critical infrastructure, industries like oil, gas, energy, transportation, water and emergency services come to mind. However, PPD-21 also includes the financial services and health care industries, which are already highly regulated under state and federal data privacy regimes.

CIRCIA requires covered entities to report “significant cyber incidents” to CISA within 72 hours of discovery. A significant cyber incident is a cyber incident or a group of related cyber incidents that are likely to result in demonstrable harm to the national security interests, foreign relations or economy of the United States or to the public confidence, civil liberties or public health and safety of the people of the United States.⁷ While it is obvious, for example, that a ransomware attack that limits a hospital’s ability to deliver patient care is a “significant cyber incident,” covered entities have not received much guidance around reporting less disruptive cybersecurity incidents.

How does CIRCIA change existing incident notifications and timelines?

For certain industries, like health care, CIRCIA imposes a quick regulatory notification obligation for the first time. CIRCIA also broadens the definition of a reportable event for health care entities. Currently, under the Health Insurance Portability and Accountability Act, covered health care entities are not required to report ransom payments or incidents to the U.S. Department of Health & Human Services (HHS) if the incidents do not involve access to, or covered entities’ inability to access, patient protected health information. Notably, CIRCIA contains an exception to the reporting requirement for entities “required by law, regulation[] or contract to report substantially similar information to another [f]ederal agency within a substantially similar time frame.”⁸ Since HIPAA-covered entities are not required to report ransom payments or events that do not involve PHI to HHS, health care entities do not meet the exception to CIRCIA’s reporting requirement and likely will be required to disclose many more incidents under much shorter timelines.

Other industries, like financial services, will add yet another urgent reporting obligation to the list. Currently, banks are already required to provide notice to federal regulators within 36 hours following a cybersecurity incident that disrupts the bank’s ability to serve its customers.⁹ Financial institutions licensed in New York are required to report cybersecurity events to the New York Department of Financial Services within 72 hours of discovering an incident. The National Credit Union Association has also proposed a rule requiring federally insured credit unions to notify the NCUA within 72 hours of discovering a substantial cyber incident. It is unclear at this stage whether these timelines will be considered “substantially similar” to those required under CIRCIA or whether CIRCIA has a sharing mechanism in place with the regulators enforcing these reporting timelines, such that these financial institutions meet the exception to the 24- or 72-hour reporting requirement under CIRCIA.

How should organizations prepare for CIRCIA?

While there is still some time before we receive the final rule from CISA, it is important for organizations that fall within one of the 16 critical infrastructure categories to begin planning for CIRCIA as outlined.

Review the list of ‘critical infrastructure’ industry sectors

Does CIRCIA apply to your organization? Many organizations may not realize the broad scope of CIRCIA. The critical infrastructure sectors defined by DHS include chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial, emergency services, energy, financial services, food and agriculture, government facilities, health care and public health, information technology, nuclear reactors and waste, transportation, and water and wastewater. Organizations that fit within these sectors should be aware of the developing law and understand the applicability of the reporting obligations.

Monitor the rulemaking process

Organizations that are covered by CIRCIA should keep tabs on the rulemaking process. Public listening sessions recently concluded, which could result in changes to the proposed reporting requirements and timelines. Organizations should stay up to date on these changes and understand what provisions make the final rule.

Update incident response plans

Organizations within the scope of CIRCIA should develop or update incident response plans to address these time-sensitive notification requirements. For many sectors, the quick reporting requirements will be unfamiliar and could be easily overlooked in the critical early hours of a security incident response. An incident response plan should include detailed procedures for evidence preservation and collection. For instance, even if you are an organization with no intention or need to pay a ransom payment as part of a ransomware incident, collecting details from the ransom note and encrypted files will be essential for reporting the incident to CISA.

Train an incident response team

Organizations should also ensure their incident response team is briefed on the CIRCIA reporting requirements. Information security and information technology teams are often the first to know about a security incident. It is very important for these teams to understand the new timelines and the internal process for quickly informing in-house and/or outside counsel about a security incident that could be a covered incident under CIRCIA. For organizations that have never experienced a significant cyber event like ransomware, it is hard to comprehend the number of competing priorities within the first few days of responding to an incident. Building an awareness of the CIRCIA reporting requirements across departments will give organizations the best opportunity to be compliant with these new processes.

¹ https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html.
² https://www.nytimes.com/2021/05/13/us/politics/biden-colonial-pipeline-ransomware.html.
³https://www.cisa.gov/circia#:~:text=RANSOMWARE INITIATIVES&text=Ransom Payment Reporting Requirements: CIRCIA,federalagencies%2C%20similar%20to%20above.
⁴ Ibid.
⁵ Division Y — Cyber Incident Reporting for the Critical Infrastructure Act of 2022, Sec. 2241, Cyber Incident Review.
⁶ https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
⁷ https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
⁸ Ibid.
⁹ 36-Hour Reporting Requirement for Disruptive Incidents (12 CFR Part 304).