On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency (“CISA”) issued a Notice of Proposed Rulemaking (“NPRM”) as required by the Critical Infrastructure Cyber Incident Reporting Act of 2022 (“CIRCIA”). An unreleased version has been released. ). The NPRM will be formally announced on April 4, 2024, and comments are expected to be submitted by June 3, 2024. According to the proposed rule, “covered entities” would be required to report (1) “qualifying cyber incidents” and (2) ransom payments. payments made in response to a ransomware attack, and (3) materially new or different information discovered in connection with reports previously submitted to CISA. A covered company must notify CISA within 72 hours if a covered cyber incident occurs and within 24 hours if a payment is made in response to a ransomware attack.
CISA proposes that a covered cyber incident is a “major” cyber incident that (1) results in a significant loss of confidentiality, integrity, or availability of a covered entity’s information systems or networks; . (2) Significant impact on the safety and resiliency of the covered entity's operational systems and processes. (3) Disruption of a covered entity's ability to engage in business or industrial activities or to provide goods or services. (4) facilitated by or caused by a breach of a cloud service provider, managed service provider, or other third-party data hosting provider to the Covered Entity's information systems or networks, or to non-public information contained therein; Unauthorized access. or supply chain compromise.
CISA also states that “covered entities” include (1) entities within the critical infrastructure sector that exceed the small business size standards specified by the U.S. Small Business Administration, or (2) established by CISA for critical infrastructure entities. proposed to include entities subject to sector-specific standards. . CISA considers 16 areas to be “critical infrastructure.” Commercial facility. communication. Critical manufacturing. dam. Defense industrial base. emergency services. Energy; Financial Services; Food and Agriculture. Government facility. Medicine and public health. Information technology; nuclear reactors, materials and waste; State, Local, Tribal, and Territorial Government Coordinating Council. transportation system. and water and wastewater.
If a covered entity experiences any of the three reportable events listed above, CISA suggests that covered entities submit a report through a web-based form, the CIRCIA Incident Report Form. This form is available on CISA's reporting page. CISA website. The proposed rule would give CISA enforcement authority to issue requests for information or subpoenas. Failure to comply with the subpoena could result in the matter being referred to the U.S. Attorney General to enforce compliance. Any covered entity that knowingly and knowingly makes materially false or fraudulent statements or representations in or in connection with a CIRCIA report, RFI response, or response to an administrative subpoena is subject to penalties.
