Broker Check
610-265-4012
LOGIN

CISA Proposes Cyber Incident Reporting Rules

May 23, 2024

In 2022 Congress passed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The Cybersecurity and Infrastructure Security Agency (CISA) has now proposed rules to implement the Act. The proposed rules are complicated, but a Locke Lord study by Laura L. Ferguson, John K. Arnold, Kenneth K. Suh and Emma Bennett summarizes the key elements.

  • CIRCIA covers 16 industry sectors with over 316,000 entities. Among the sectors considered "critical infrastructure" are communications, financial services, healthcare and public health, information technology, and water and wastewater systems. Based on other federal regulations, entities subject to CIRCIA may be classified as small businesses; if they exceed the small business standard different criteria apply.  
  • CIRCIA is not limited to entities that own or operate systems or assets defined as "critical infrastructure". Vendors, contractors and service providers in those sectors are also subject to CIRCIA's requirements.
  • Covered cyber incidents fall into four categories: 
  1. A substantial loss of confidentiality, integrity or availability of an entity's information system or network.
  2. A serious impact on the safety and resiliency of an entity's operational systems and processes.
  3. A disruption of an entity's ability to engage in business operations.
  4. Unauthorized access to an entity's information system or network caused by compromise of a third party provider or supply chain.           

While the first three categories require a determination of factors as to whether an incident qualifies for reporting, CISA considers any unauthorized access to be subject to reporting. 

  • Reports are required to be submitted electronically to CISA using CIRCIA's incident reporting form within 72 hours of a reasonable belief that a cyber incident has occurred, or 24 hours of making a ransom payment. If the entity does not have all the information they need to complete the report, they can respond noting some facts as unknown or pending investigation.
  • Entities legally required to report to other federal agencies are exempt from CIRCIA reporting as long as there is information sharing between that agency and CISA.
  • If an entity fails to report an incident or ransom payment, CISA has the authority to issue a Request for Indormation. If the entity does not respond to the RFI within 72 hours, CISA can issue a subpeona and if no response ask the Attorney General to enforce it.

CISA is accepting public comments on the rules. There is a potential for overlapping reporting requirements of other agencies, and this may not be addressed until the final rules become effective.