On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) Notice of Proposed Rulemaking (“Proposed Rule”) related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was released on the Federal Register website. The Proposed Rule, which will be formally published in the Federal Register on April 4, 2024, proposes draft regulations to implement the incident reporting requirements for critical infrastructure entities from CIRCIA, which President Biden signed into law in March 2022. CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to CISA. While the overarching requirements and structure of the reporting process were established under the law, CIRCIA also directed CISA to issue the Proposed Rule within 24 months of the law’s enactment to provide further detail on the scope and implementation of these requirements. Under CIRCIA, the final rule must be published by September 2025.
The Proposed Rule addresses various elements of CIRCIA, which will be covered in a forthcoming Client Alert. This blog post focuses primarily on the proposed definitions of two pivotal terms that were left to further rulemaking under CIRCIA (Covered Entity and Covered Cyber Incident), which illustrate the broad scope of CIRCIA’s reporting requirements, as well as certain proposed exceptions to the reporting requirements. The Proposed Rule will be subject to a review and comment period for 60 days after publication in the Federal Register.
Covered Entities
CIRCIA broadly defined “Covered Entity” to include entities that are in one of the 16 critical infrastructure sectors established under Presidential Policy Directive 21 (“PPD-21”) and directed CISA to develop a more comprehensive definition in subsequent rulemaking. Accordingly, the Proposed Rule (1) addresses how to determine whether an entity is “in” one of the 16 sectors and (2) proposed two additional criteria for the Covered Entity definition, either of which must be met in order for an entity to be covered. Notably, the Proposed Rule’s definition of Covered Entity would encompass the entire corporate entity, even if only a constituent part of its business or operations meets the criteria. Thus, Covered Cyber Incidents experienced by a Covered Entity would be reportable regardless of which part of the organization suffered the impact. In total, CISA estimates that over 300,000 entities would be covered by the Proposed Rule.
Decision tree that demonstrates the overarching elements of the Covered Entity definition. For illustrative purposes only.
16 Critical Infrastructure Sectors. Consistent with CIRCIA, the proposed regulatory text of the Covered Entity definition includes that entities must be “in a critical infrastructure sector,” but the text does not define this term or describe how to determine which entities are within those sectors. However, the commentary in the Proposed Rule states that this threshold question is effectively tied to the sector descriptions in the critical infrastructure Sector-Specific Plans (“SSPs”) that were developed pursuant to PPD-21. Thus, entities can rely on the SSPs to determine if they are “in” a sector. Notably, the scope of the SSPs is not limited to owners and operators of critical infrastructure systems and assets. Accordingly, the Proposed Rule indicates that reporting requirements would also apply to a “small subset” of entities covered in the SSPs that are “active participants” in a particular sector and that can impact the security of critical infrastructure.
Additional Criteria. The Proposed Rule then outlines two additional scoping criteria for the definition of Covered Entity: (1) the size of an entity and (2) whether the entity meets certain sector-based criteria. A critical infrastructure entity that falls within one of the 16 sectors described above need only fall within one of these categories to be a Covered Entity.
- Size-Based Criteria. Under the Proposed Rule, any entity within a critical infrastructure sector that exceeds the U.S. Small Business Administration’s (“SBA”) small business size standard as specified by the applicable North American Industry Classification System (“NAICS”) code would be a Covered Entity. These standards vary by industry and are generally based on an entity’s number of employees or annual revenue. Under the Proposed Rule, each entity would follow the SBA’s rules for calculating size and revenue, including identifying which NAICS code must be applied to determine whether it meets the size-based criteria. Depending on the industry, the SBA standard’s employee and revenue thresholds can vary significantly.
- Sector-Based Criteria. The Proposed Rule specifies that Covered Entities would also include any entity within a critical infrastructure sector that meets one or more enumerated sector-based criteria, regardless of whether it exceeds the above-referenced SBA standards. These criteria are generally based on whether entities own or operate certain facilities or perform key functions. High-level summaries of the sector-based criteria are provided in the table below.
Sector | Sector-Based Criteria |
Chemical | Any entity in a critical infrastructure sector that owns or operates a covered chemical facility subject to the Chemical Facility Anti-Terrorism Standards (“CFATS”) |
Communications | Any entity that provides communications services by wire or radio communications, as defined in 47 U.S.C. §§ 153(40), 153(59), to the public, business, or government, including both one-way communications service providers (e.g., radio, television, and satellite) and two-way communications service providers (e.g., telecommunications, wireless service, VoIP, and internet service) |
Critical Manufacturing | Any entity that owns or has business operations that engage in one or more of the following: (i) primary metal manufacturing; (ii) machinery manufacturing; (iii) electrical equipment, appliance, and component manufacturing; or (iv) transportation equipment manufacturing |
Defense Industrial Base | Any entity that is a contractor or subcontractor required to report cyber incidents to the Department of Defense pursuant to the Defense Federal Acquisition Regulation Supplement cyber incident reporting clause, codified at 48 C.F.R. § 252.204-7012 (often referred to as the “DFARS Cyber Clause” or “DFARS 7012 Clause”) |
Emergency Services | Any entity that provides one or more of the following emergency services or functions to a population of 50,000 or more individuals: (i) law enforcement, (ii) fire and rescue, (iii) emergency medical services, (iv) emergency management, or (v) public works that contribute to public health and safety |
Energy | Any entity required to report cybersecurity incidents under the North American Electric Reliability Corporation (“NERC”) Critical Infrastructure Protection (“CIP”) Reliability Standards or required to file an Electric Emergency Incident and Disturbance Report OE-417 form, or any successor form, to the Department of Energy |
Financial Services | Any entity within the Financial Services sector (i) required to report cybersecurity incidents to their respective primary federal regulator, (ii) for whom the primary federal regulator has indicated an intention to require cybersecurity incident reporting, or (iii) that is encouraged or expected to report cybersecurity incidents to their primary federal regulator pursuant to an Advisory Bulletin |
Government Facilities | Any entity that falls within one of the following categories: Any state, local, tribal, or territorial (“SLTT”) government entity for a jurisdiction of 50,000 or more individuals;Any entity that qualifies as either a local educational agency, educational service agency, or state educational agency, as defined under 20 U.S.C. § 7801, with a student population of 1,000 or more students; or an institute of higher education that receives funding under Title IV of the Higher Education Act; orAny entity that manufactures, sells, or provides managed services for information and communications technology specifically used to support election processes or report and display results on behalf of SLTT governments |
Healthcare and Public Health | Any entity that (i) owns or operates a hospital with 100 or more beds or a critical access hospital, (ii) manufactures drugs listed in appendix A of the Essential Medicines Supply Chain and Manufacturing Resilience Assessment; or (iii) manufactures a moderate risk (Class II) or high risk (Class III) device as defined by 21 U.S.C. § 360c |
Information Technology | Any entity that (i) knowingly provides IT hardware, software, systems, or services to the federal government, (ii) developed and continues to sell, license, or maintain any software that meets the definition of “critical software” as defined by the National Institute of Standards and Technology pursuant to Executive Order 14028, (iii) is an original equipment manufacturer, vendor, or integrator of operational technology (“OT”) hardware or software components, or (iv) performs functions related to domain name operations |
Nuclear Reactors, Materials, and Waste | Any entity that owns or operates a commercial nuclear power reactor or fuel cycle facility |
Transportation Systems | Any entity that falls within one of the following categories: Entities identified by the Transportation Security Administration (“TSA”) as requiring cyber incident reporting and (in some cases) enhanced cybersecurity measures;Owners and operators of freight railroad carriers identified under 49 C.F.R. § 1580.1(a)(1), (4), and (5) and public transportation and passenger railroads identified in 49 C.F.R. § 1582.1;Owners and operators of critical pipeline facilities and systems identified in 49 C.F.R. part 1586;Entities required to implement a TSA-approved security program under 49 C.F.R. parts 1542, 1544, 1548, and 1549 (airports, passenger and all-cargo aircraft operators, indirect air carriers, and Certified Cargo Screening Facilities); orEntities that own or operate assets subject to the Maritime Transportation Security Act |
Water and Wastewater Systems | Any entity that owns or operates a Community Water System or Publicly Owned Treatment Works, as defined in 42 U.S.C. § 300f(15) or 40 C.F.R. § 403.3(q) respectively, for a population greater than 3,300 people |
The Proposed Rule does not include any separate sector-based criteria for the Commercial Facilities Sector, the Dams Sector, or the Food and Agriculture Sector, and would instead rely on the size-based or overlapping sector-based criteria to determine which entities in these sectors qualify as Covered Entities.
Covered Cyber Incidents and Ransomware Attacks
CIRCIA requires that Covered Entities report to CISA (1) any Covered Cyber Incident within 72 hours, and (2) any Ransomware Attack that results in a ransom payment within 24 hours. CIRCIA also requires Covered Entities to promptly submit certain supplemental reports providing updated or additional information about the incident following the initial submission. While CIRCIA included specific definitions for Ransomware Attack and Ransom Payment, which the Proposed Rule largely aligns with, CIRCIA directed CISA to provide a definition with more detailed criteria for a Covered Cyber Incident as part of the rulemaking process.
The Proposed Rule would define a Covered Cyber Incident to include two subsidiary definitions – a Cyber Incident and a Substantial Cyber Incident. First, the Proposed Rule provides a definition for the term Cyber Incident—that is, an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system. A Cyber Incident that then meets certain impact-based criteria would be considered a Substantial Cyber Incident. Finally, a Covered Cyber Incident would be defined as any Substantial Cyber Incident experienced by a Covered Entity.
The Proposed Rule states that a Cyber Incident must meet certain impact-based criteria in order to be a Substantial Cyber Incident. There are four such criteria and an incident needs to meet only one of the four criteria to constitute a Substantial Cyber Incident.
- Substantial Loss of Confidentiality, Integrity, or Availability. The first criterion is a “substantial” loss of confidentiality, integrity, or availability (“CIA”) of an information system (including operational technology, or OT) or a network. The Proposed Rule notes that whether loss is “substantial” will depend on a variety of factors, including the type, volume, impact, and duration of the loss, such as an attack that cuts off services for an extended period or persistent access to information systems by a threat actor.
- Serious Impact on Safety and Resilience. The second criterion is a “serious” impact on the safety and resiliency of operational systems and processes. The Proposed Rule cites to NIST definitions of safety and resilience, and notes that “serious” will also depend on a variety of factors, such as the safety hazards posed by an incident. For example, the Proposed Rule states that cyber incidents that noticeably increases the potential for a release of hazardous chemicals used in chemical manufacturing or water purification, disrupts or compromises a BES cyber system that performs reliability tasks in the electric grid, or disrupts the ability of a communications service provider to transmit or deliver 911 calls would meet this definition.
- Significant Operational Disruption. The third is a disruption of the ability to engage in business or industrial operations, or deliver goods or services, due to: (1) an attack (including, but not limited to a denial-of-service attack, ransomware attack, or exploitation of a zero-day vulnerability) against (i) an information system or network or (ii) an operational technology system or process; or (2) a loss of service facilitated through, or caused by, a compromise of a cloud service provider (“CSP”), managed service provider (“MSP”), other third-party data hosting provider, or by a supply chain compromise. The Proposed Rule’s commentary notes that the disruption must be significant, akin to the “substantial” and “serious” qualifiers discussed above.
- Significant Third-Party Compromise. The last criterion is unauthorized access to an information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a CSP, MSP, other third-party data hosting provider, or a supply chain compromise. While similar to the loss of CIA, this criterion is focused on third-party and supply chain compromise. Again, the Proposed Rule’s commentary notes that the impacts must be significant to meet this criterion.
CISA states in the Proposed Rule that it interprets CIRCIA to limit the fourth criterion to unauthorized access that is achieved by the enumerated causes set forth in CIRCIA’s original statutory text (e.g., compromise of a CSP or supply chain compromise). To avoid ambiguity, the Proposed Rule includes a statement that a Cyber Incident that impacts a Covered Entity and results in any of the impacts identified in the first three criteria is a Substantial Cyber Incident, regardless of what caused the incident. In other words, the first three criteria are not limited by the source of a compromise (e.g., third-party compromise) or a particular attack vector (e.g., exploitation of a zero-day).
Exceptions
The Proposed Rule includes three exceptions to reporting requirements. First, Covered Entities are not required to report to CISA if the entity provides a legally required incident report to another federal agency that contains substantially similar information, is provided in a substantially similar timeframe, and can be shared within that timeframe under an information sharing agreement between CISA and the federal agency. Second, the Proposed Rule exempts critical infrastructure owned, operated, or governed by multi-stakeholder organizations that develop, implement, and enforce policies concerning the Domain Name System. Third, federal agencies required by the Federal Information Security Modernization Act to report incidents to CISA are exempt from reporting those incidents under CIRCIA.
Other Matters
The Proposed Rule addresses various other aspects of CIRCIA, including incident reporting content requirements and mechanisms, data and records preservation requirements, enforcement mechanisms, and additional definitions (e.g., CSP and Information System). These and other matters will be addressed in further detail in the forthcoming client alert.