The federal government is making headway on its efforts to get more organizations to disclose security incidents, with plans to compel upwards of 316,000 U.S. critical infrastructure owners, operators and suppliers to quickly divulge cyberattacks and ransom payments.
The proposed rule for the Cyber Incident Reporting for Critical Infrastructure Act of 2022, signed into law in March 2022 and dubbed CIRCIA, marks a sea change in how industries share sensitive and actionable cyber incident details at the federal level.
The Cybersecurity and Infrastructure Security Agency posted an initial version of its 447-page notice of proposed rulemaking last week, which will be published in the Federal Register on Thursday with a 60-day public comment period following suit. The rule will go live within 18 months.
Dozens of federal, state and local cyber incident reporting regulations are already on the books, applying to various entities operating in the U.S. CIRCIA manifests a federal coalescence around these efforts.
“Prior to the enactment of CIRCIA, there was no federal statute or regulation supporting a comprehensive and coordinated approach to understanding cyber incidents across critical infrastructure sectors,” CISA said. “Nor was there a federal department or agency charged with coordinating cross-sector sharing of information related to cyber incidents with federal and non-federal stakeholders.”
There’s a lot riding on this rule and many questions remain open ended, including how CISA will enforce it and put the trove of data the rule will elicit into action. Cybersecurity Dive broke down what CIRCIA requires covered entities to disclose and when.
When do the rules take effect?
No later than October 2025.
What is a covered entity?
The rule applies to organizations operating in any of the 16 critical infrastructure sectors previously designated as such by CISA. The agency says it will initiate an outreach and education campaign to inform entities that fall under the regulatory reporting requirements of CIRCIA.
CISA estimates the rule will cover up to 316,244 entities, resulting in 210,525 CIRCIA reports over an 11-year period. This count includes presumptive supplemental reports and multiple reports from the same organization over the 11-year span.
In total, CISA’s estimate amounts to CIRCIA reports from two-thirds of all covered entities.
The agency expects CIRCIA to carry costs of $1.4 billion to industry and $1.2 billion to the federal government over that period.
The proposed rule clarifies that entities in a critical infrastructure sector must exceed the small business size standard specified in the U.S. Small Business Administration’s small business size regulations.
Though the standards vary by industry, the current threshold for small business status encompasses organizations with between 100 and 1,500 employees and annual revenue between $2.75 million and $47 million, depending on the industry.
Entities that meet a sector-based criterion, regardless of which critical infrastructure sector the entity considers itself a part of, are also covered by the rule.
When will companies have to file a report?
Covered entities are required to submit a Covered Cyber Incident Report to CISA within 72 hours after the organization “reasonably believes the covered cyber incident occurred,” according to CISA.
Ransom Payment Reports must be filed with CISA within 24 hours of a ransom payment disbursement.
Covered entities that experience a cyber incident and make a ransom payment within 72 hours after determining a cyber incident occurred may submit a Joint Covered Cyber Incident and Ransom Payment Report to CISA within 72 hours.
What will companies have to disclose?
Covered entities are required to submit CIRCIA reports to CISA through a web-based CIRCIA Incident Reporting Form on CISA’s website.
All CIRCIA reports must include details about how the incident was carried out, including a description of vulnerabilities exploited, security defenses in places, and the tactics, techniques and procedures used during the attack.
Additional information about the cyber incident, the function of the affected networks or systems, and technical details such as unauthorized access, indicators of compromise, dates pertaining to the incident, and operational impacts must also be included.
Victim organizations that pay ransom payments are required to include a description of any malicious software used during the attack, contact information for each actor presumed responsible for the attack and the date of the ransom payment.
Other required information includes the ransom payment amount, type of assets used, the ransom payment demand, instructions and outcomes.