Close Menu
Government & Politics

Government Contracts Affected by CISA Cyber ​​Incident Report

Ethan JohnsonBy No Comments9 Mins Read


The Cybersecurity and Infrastructure Security Agency (“CISA”) recently announced new proposed rules under the Critical Infrastructure Cyber ​​Incident Reporting Act of 2022 (“CIRCIA”). This rule was published in the Federal Register on April 4, 2024. Public comments are being solicited until June 3, 2024. The proposed rule will be published in new Section 226 of Part 6 of the Code of Federal Regulations as part of the Department of Homeland Security's Domestic Security Regulations.

To save you the trouble of reading over 400 pages, here's a summary of the “who, what, when, where, why, and how” of the CISA report on critical infrastructure.

Author's note

As a quick side note, I was initially not happy to learn of the length of this proposed rule, which led me to spend a good portion of two weekends reviewing it, but CISA's publications I found the discussion easy to understand and useful. Breathtaking! ) Overall it's pretty reasonable.

CISA describes the process for determining key definitions within the rule, including approaches that were considered but ultimately discarded. Provides an overview of current cyber incident reporting requirements in the United States (as part of discussions on harmonization efforts, many of us had high hopes that would not come true). It also provides examples of when incidents are and are not reportable under this rule (for example, short-term unavailability of a business system, temporary rerouting of network traffic, or (such as the exploitation of known vulnerabilities by threat actors launching attacks). (Even if detected and remediated, it is generally not considered a reportable incident).

I also applaud CISA for documenting what we all know and are working on as we consider reporting schedules. An incident has occurred and a 72-hour reporting deadline has been set. ” The standards for reporting under CISA regulations are higher than those under, for example, the Department of Defense (“DoD”) Cyber ​​Incident Reporting Regulations, which require reporting of incidents involving activities that “may have occurred.” But this is a welcome recognition. Describe the practicalities of detecting and responding to cyber incidents.

Who is “covered”?

CISA's new proposed rule would require covered entities in all 16 critical infrastructure sectors to report cyber incidents. Entities, regardless of size, that meet certain threshold criteria are subject to the rule. Businesses that are small according to the Small Business Administration's size standards and are not subject to threshold standards are excluded from the definition of a “covered entity.” Large companies in each critical infrastructure sector are subject to this rule, regardless of whether they meet the threshold criteria.

The proposed rule includes threshold standards for entities in 13 of the 16 critical infrastructure sectors. These are listed below. Threshold criteria for areas of significant interest to government contractors are explained in more detail.

  1. Chemistry department – Any entity that owns or operates a covered chemical facility that is subject to the Chemical Facility Counterterrorism Standard.
  2. communication department – Any organization that provides communication services by wire or wireless communications to the public, business, or government.
    • This applies to federal telecommunications carriers, wireless and internet service providers.
  3. important manufacturing sector – Companies that own or operate businesses engaged in one or more of the four major manufacturing industries that make up this sector.
  4. Defense Industrial Infrastructure Division – Organizations that are contractors or subcontractors required to report cyber incidents to the Department of Defense pursuant to DFARS 252.204-7012.
    • This brings in DoD contractors or subcontractors of all sizes who handle uncontrolled information (“CUI”)..
  5. emergency services department – Any entity that provides one or more specific emergency services or functions to a population of 50,000 or more.
  6. energy sector – Organizations required to report cybersecurity incidents under NERC’s CIP reliability standards or submit the Electrical Emergency and Outage Report OE-417 form or successor form to the Department of Energy.
  7. financial services sector – Three categories of entities that can affect a country’s economic security.
  8. Government Facilities Department – Entities that meet one of three criteria for state, local, tribal, or territorial government.education; or electoral process
  9. Medical and public health sector – Any entity that meets certain standards for patient services, and manufacturers of certain pharmaceutical products and devices.
  10. Information technology department – Any entity that meets one or more of the four criteria. This includes entities that (a) knowingly provide IT hardware, software, systems, or services to the federal government; (b) develops, sells, licenses, or continues to maintain software that meets the definition of “critical software” as defined by NIST; (c) is his OEM, vendor, or integrator of OT hardware or software components; or (d) perform functions related to the operation of domain names.
    • This brings in all government IT product and service providers, as well as companies that develop or resell “critical software” as defined in Executive Order 14028.
  11. Reactor, Materials and Waste Department – Any entity that owns or operates a commercial nuclear reactor or fuel cycle facility
  12. Transportation system department – Certain entities that meet criteria for non-maritime transport or that own or operate ships, facilities, or off-shelf facilities;
  13. Water and sewage system department – Certain owners and operators of community water systems or public treatment facilities (“POTWs”)

For entities in the other three sectors: Commercial facility sector, dam departmentand food and agriculture sectorAlthough CISA does not propose sector-based threshold standards, large companies in these sectors would be considered “covered entities.”

This proposed rule is estimated to impact more than 300,000 entities.

What do I need to report?

In addition to paying the ransom, the proposed rule would require covered entities to report “significant cyber incidents” and provide supplemental reports if new or material information is identified. The proposed definition of a “major cyber incident” focuses on the consequences of an incident rather than its causes, and is defined as an incident that causes one of the following:

  1. significant loss of confidentiality, integrity, or availability of the covered entity's information systems or networks;
  2. Significant impact on the safety and resiliency of the covered entity's operational systems and processes.
  3. disruption of a covered entity's ability to engage in business or industrial operations or to provide goods or services;or
  4. to a Covered Entity's information systems or networks, or non-public information contained therein, facilitated by or caused by a breach of a cloud service provider, managed service provider, other third-party data hosting provider, or supply chain; Unauthorized access compromise.

Note that items #1 and #2 above include the additional qualifiers “material” or “material” loss or impact, which are somewhat subjective criteria that companies need to consider. please. For #3, there are no additional explicit qualifiers, but CISA says it “believes it is appropriate to give it some degree of materiality.” However, regarding #4, CISA takes a different view, citing the “seriousness of unauthorized access by third parties” such as cloud service providers (“CSPs”) and managed service providers (“MSPs”), and recommends that no further I did not respond. I acknowledge the need to report. If the cause is unknown, companies must report whether they have a “reasonable belief” that the unauthorized access was caused by a third-party provider or supply chain compromise.

Unlike the current Department of Defense cyber incident reporting regulations and other regulations currently in place, which require reporting on “potential” impact, CISA requires reporting only when an incident occurs. In practice one or more of the above effects will occur.

The proposed rule would impose certain limitations on reporting obligations, such as when a covered entity reports “substantially similar information during a substantially similar period” to another agency and CISA has a CIRCIA agreement with that agency. We are considering exceptions. Many Pentagon contractors are already required to report cyber incidents within 72 hours, and the Pentagon is expected to be at the top of this list.

The proposed rule explicitly allows third parties (such as incident response (“IR”) companies, insurance or other service providers, and law firms) to submit reports on behalf of covered entities. Please note. This is already happening in the cyber industry. World Press and is expressly recognized here by CISA. The third party must certify that they have consented to submit the report. Separately, CISA continues to encourage voluntary reporting of incidents that may not be covered by the new rules.

When does the reporting period start?

Targeted companies must report a qualifying cyber incident within 72 hours of having a “reasonable belief” that a qualifying cyber incident has occurred, and must collect the ransom within 24 hours of payment being made. You will be required to report your payments. As stated above, CISA appears to be trying to take a rational approach here, further stating that reasonable belief is “subjective and dependent on the particular factual circumstances associated with a particular case.” “We do not expect covered entities to:'' Shortly after the incident occurred, we reached a “reasonable belief'' that a covered cyber incident occurred…''

Supplemental reports must be provided “promptly” if the covered entity obtains “substantial new or different information.” According to CISA, this means if additional information is available that corresponds to a data field in a CIRCIA report, or if information contained in a previously submitted report is found to be materially inaccurate or incomplete. It states that. This approach appears to be much more viable than what is currently being considered in the FAR Board's proposed rule. Cyber ​​threat and incident reporting and information sharingThis would require covered contractors to provide updates every 72 hours, regardless of whether new key or material information is available.

Where will you end up if you don't follow the rules?

CISA is discussing several enforcement mechanisms for covered entities that do not report in accordance with the regulations. These include (1) issuing an RFI requesting further information; (2) Issuance of subpoenas. (3) refer potential civil action to the Attorney General; (4) Commencement of suspension and disqualification proceedings. Additionally, false or fraudulent statements in CIRCIA reports or other responses to CISA may result in penalties under 18 USC § 1001, the criminal law.

The proposed rule also includes a data retention component that would require covered entities to retain data related to their reports (such as communications with threat actors, indicators of compromise, log entries and forensic images) for two years after CIRCIA submission. It is. Report or supplementary report.

Why are these new regulations introduced?

The proposed regulations are legislation passed in 2022 to address cyber threats posed to U.S. critical infrastructure that can impact national security, economic security, and public health and safety. Promulgated based on CIRCIA.

How do I submit a comment?

Comments may be submitted through June 3, 2024 through the Federal e-Rulemaking Portal located at: http://www.regulations.gov (Reference number CISA-2022-0010). CISA is interested in comments on all aspects of the proposed rule.

Listen to this article here.



Source link

Share.

Related Posts

Add A Comment
Leave A Reply