Major changes in cybersecurity compliance are on the horizon, and businesses need to prepare. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransomware payments to the federal government. The changes stem from the US Department of Homeland Security's (DHS) Cybersecurity Infrastructure and Security Agency (CISA) issuing a proposed rulemaking (NPRM) on April 4, 2024. The notice is intended to implement the Critical Infrastructure Cyber Incident Reporting Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report certain cyber incidents and ransom payments to CISA within a set time frame.
background
In March 2022, President Joe Biden signed CIRCIA into law, a major step toward improving America's cybersecurity. The act requires CISA to develop regulations and require covered organizations to report cyber incidents and ransom payments. The purpose is for CISA to quickly assist victims, analyze trends across different sectors, and share critical information with network defenders to prevent other potential attacks.
The proposed rule is open for public comment until July 3, 2024. After this period, CISA will have 18 months to finalize the rule, which is expected to go into effect on or around October 4, 2025. The rule is expected to take effect in early 2026. This document highlights key points from the detailed Federal Register notice and provides an overview of the NPRM.
Cyber Incident Reporting Initiative
CIRCIA contains several important requirements regarding mandatory reporting of cyber incidents.
- Cyber Incident Reporting Requirements – CIRCIA requires CISA to develop regulations requiring covered organizations to report covered cyber incidents within 72 hours of the time they reasonably believe an incident has occurred.
- Sharing Federal Incident Reports – Federal agencies that receive a report of a cyber incident after the effective date of the final rule must share the report with CISA within 24 hours, and CISA must provide information it receives under CIRCIA to certain Federal agencies within the same time frame.
- Cyber Incident Reporting Council – The Department of Homeland Security (DHS) should establish and chair an Intergovernmental Cyber Incident Reporting Council to coordinate, deconflict, and harmonize Federal incident reporting requirements.
Ransomware Protection
CIRCIA has approved or mandated several initiatives to combat ransomware.
- Ransom Payment Reporting Requirements – CISA should develop regulations requiring covered organizations to report to CISA within 24 hours of paying a ransom following a ransomware attack, and these reports must be shared with federal agencies in a manner similar to cyber incident reports.
- Ransomware Vulnerability Alert Pilot Program – CISA should establish a pilot program to identify systems vulnerable to ransomware attacks and may notify owners of those systems.
- Joint Ransomware Task Force – CISA announced that it is launching a Joint Ransomware Task Force to strengthen existing efforts to coordinate a nationwide campaign against ransomware attacks. The task force will work closely with the Federal Bureau of Investigation and the Office of the National Cyber Director.
Scope of application
The regulation covers many “covered entities” within the critical infrastructure sector. CISA clarifies that “covered entities” extend beyond owners and operators of critical infrastructure systems and assets. Entities that actively participate in these sectors may be considered “within the sector” even if they are not themselves critical infrastructure. Entities that are unsure of their status are encouraged to contact CISA.
Critical Infrastructure Sector
CISA’s interpretation includes entities that are in any of the 16 sectors defined in Presidential Policy Directive 21 (PPD 21). These sectors include chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, health care and public health, information technology, nuclear reactors, materials, waste, transportation systems, and water and wastewater treatment systems.
Eligible Entities
CISA seeks to include small businesses that own and operate critical infrastructure by setting additional sector-specific criteria. The proposed rule would apply to organizations that fall into one of two categories:
- Entities operating in critical infrastructure sectors, excluding small and medium-sized enterprises
- Small and medium-sized enterprises that are critical infrastructure sector entities that meet sector-based criteria
Size-Based Criteria
Size-based thresholds use Small Business Administration (SBA) standards that vary by industry and are based on annual revenue and number of employees. Organizations in critical infrastructure sectors that exceed these thresholds are “covered organizations.” SBA standards are updated periodically, so organizations should stay informed about the current thresholds that apply to their industry.
Sector-Based Standards
The sector-based criteria target significant entities within a sector, regardless of size, based on the potential impact of a disruption. The proposed rule outlines specific criteria for nearly all 16 critical infrastructure sectors. For example, criteria for the information technology sector include:
- Organizations that provide IT services to the federal government
- Organizations that develop, license, or maintain critical software
- Manufacturers, vendors, or integrators of operational technology hardware or software
- Organizations involved in election-related information and communications technology
In the medical and public health sector, criteria include:
- Hospitals with 100 or more beds
- Emergency Access Hospital
- Manufacturers of certain medicines or medical devices
Cyber incidents covered
Covered entities must report “covered cyber incidents,” which include any significant loss of confidentiality, integrity, or availability of an information system, any significant impact to the security and resilience of operational systems, any interruption to business or industrial operations, any unauthorized access resulting from a breach of a third-party service provider or a breach of the supply chain.
Major incident
This definition covers significant cyber incidents regardless of cause, including third-party compromise, denial of service attacks, and vulnerabilities in open source code, but does not include threats or activity at the request of an owner/operator. Major incidents include encryption of core systems, exploits causing extended downtime, and ransomware attacks against industrial control systems.
Reporting Requirements
Covered organizations must report a cyber incident to CISA within 72 hours of reasonably determining that it has occurred. Reports must be submitted via the web-based “CIRCIA Incident Reporting Form” on the CISA website and must include detailed information about the incident and any ransom payments.
Report types and timelines
- Cyber incident report coverage within 72 hours of the incident
- Ransomware attacks are reported within 24 hours of payment
- For ransom payment cases, submit a joint cyber incident and ransom payment report within 72 hours
- If new information or additional payments become available, we will provide a supplemental report within 24 hours.
Companies must retain data used in reports for at least two years. Companies may authorize third parties to submit reports on their behalf, but compliance remains the responsibility of the company.
Exemption from similar reporting
Covered organizations may be exempt from CIRCIA reporting if they already report to another federal agency, so long as an agreement exists between CISA and that agency. The agreement must ensure that reporting requirements are substantially similar and that the agency shares information with CISA. Federal agencies that report to CISA under the Federal Information Security Modernization Act (FISMA) are exempt from CIRCIA reporting.
These agreements are still being developed, and organizations that report to other Federal agencies should stay abreast of progress to understand how it may affect their reporting obligations under CIRCIA.
Enforcement and Penalties
The CISA Director may issue a Request for Information (RFI) if an organization fails to submit required reports. Non-compliance may result in civil lawsuits or court orders, including penalties such as debarment and limitations on future government contracts. Any false statements in a report may result in criminal penalties.
Information Protection
CIRCIA provides protections for reports and RFI responses, including immunity from enforcement actions based solely on the filing of a report and protections against legal discovery and use in litigation. Reports are exempt from Freedom of Information Act (FOIA) disclosure and organizations can designate reports as “commercial, financial, and proprietary information.” Information can be shared with federal agencies for cybersecurity purposes or specific threats.
Business lessons learned
Although the rule won't go into effect until late 2025, companies should start preparing now. Companies should review the proposed rule to determine whether they qualify as covered companies, understand the reporting requirements, and adjust their security programs and incident response plans accordingly. Creating a regulatory notice chart can help keep track of the various incident reporting obligations. Proactive measures and formal comments on the proposed rule can aid in compliance once the rule is finalized.
These steps are designed as a guide to help companies prepare for CIRCIA, but each company must evaluate its own needs and steps within its particular operational, business and regulatory context.