On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security published a long-awaited notice of proposed rulemaking (NPRM) pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Signed into law in 2022 by President Joe Biden, CIRCIA required CISA to develop regulations addressing cyber incident reporting. While the final regulations are likely more than a year away, this post provides highlights on some of the key requirements of the proposed rule.
The draft rule is notable for a few reasons. As we discuss below, the draft rule:
- Broadly defines covered entities.
- Provides clarity around the new reporting thresholds of “substantial cyber incidents” and ransomware payments.
- Describes the liability for noncompliance.
- Attempts to address the increasingly patchworked and overlapping approach by the federal government with respect to reporting cyber incidents.
The overall draft suggests that even companies that haven’t previously identified as part of US critical infrastructure may now be regulated under CIRCIA.
Broad definition of ‘covered entities’
The NPRM states that “CISA interprets the word ‘entity’ to be a broad term, generally including any person, partnership, business, association, corporation, or other organization (whether for-profit, not-for-profit, nonprofit, or government),” and “[t]he organizational structure or nomenclature chosen by the entity does not matter as long as it is a structure that imports legal presence or standing in the United States.” While initial reactions to the proposed rule raise concerns that smaller entities will be exempt from CIRCIA requirements (and note the importance smaller entities have in the functioning of US critical infrastructure), the text of the proposed rule indicates that a smaller entity will be subject to the regulations if it exceeds the “small business size standard” as defined by 13 Code of Federal Regulations Part 121 and meets certain sector-based criteria that we describe below.
CISA’s statutory mandate covers entities within 16 critical infrastructure sectors. The CIRCIA rule understandably tracks this mandate, applying to a broad swath of “covered entities” that must operate within one of the 16 critical infrastructure sectors and either exceed the small business size requirement or meet certain sector-based criteria.
Under the proposed rule, the sector-based criteria include, for example:
- Information technology entities that either:
- Provide information technology systems or services to the federal government.
- Develop or maintain software that has one or more specific attributes, including being designed to run with elevated privileges or manage privileges, having the ability to control access to data or operational technology, or performing “a function critical to trust”.
- Are equipment manufacturers, vendors or integrators of operational technology components.
- Perform domain name functions.
- Critical manufacturing entities.
- Essential drug manufacturers.
- Emergency service providers.
- Owners/operators of chemical facilities.
- State/local/tribal governments.
- Election-related vendors.
- Nuclear power reactor operators.
- Community water service providers.
The proposed rule brings within scope covered entities who may be subject to other federal regulations, which notably include:
- Contractors for the Department of Defense (DOD) who process covered defense information.
- Owners/operators of financial services sector infrastructure, including banks, savings and loan holding companies, and money services businesses, among others.
- Hospital owners (among other healthcare-related entities).
- Certain educational institutions.
Numerous federal agencies already require reporting of certain cyber incidents – for example, the Securities and Exchange Commission (SEC) under its new 8-K disclosure requirements, the Federal Trade Commission under its recently updated Safeguards Rule, and the DOD under its Safeguarding Covered Defense Information and Cyber Incident Reporting requirements, to name a few.
The proposed rule notes that these may be taken into account, providing a mechanism for agreements between CISA and federal agencies that require similar reporting to allow a covered entity to satisfy its CIRCIA reporting obligations if it duly reports pursuant to the other federal agency’s requirements and federal agency has entered into a “CIRCIA Agreement” with CISA.
Other government entities cannot use information “obtained solely through a CIRCIA Report” (emphasis added) in any enforcement proceeding except when the government entity has expressly allowed the covered entity to meet its regulatory obligations through a report to CISA. For entities that have multiple reporting obligations (e.g., to the SEC, New York State Department of Financial Services or DOD), the safe haven from non-CISA enforcement actions may not be applicable.
New requirements
‘Substantial cyber incident’
Under the proposed rule, a “substantial cyber incident” means a cyber incident that leads to any of the following:
- A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network.
- A serious impact on the safety and resiliency of a covered entity’s operational systems and processes.
- A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services.
- Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by a compromise of a cloud service provider, a managed service provider or another third-party data hosting provider, or that is the result of a supply chain compromise .
Notably, CISA is the latest US government agency to define cyber incidents regardless of the impact on personal information, continuing a trend in regulations that we have seen most recently with the SEC’s new disclosure requirements. These proposed and enacted regulations are increasingly concerned with the overall impact of an incident versus consumer protection.
Reporting obligations
The proposed rule’s primary provision requires covered entities to report a “substantial cyber incident” within 72 hours of the covered entity’s reasonable belief that a substantial cyber incident has occurred.
Covered entities also are obligated to report to CISA within 24 hours if they make a payment to a ransomware actor. Under the proposed rule, a ransom payment “means the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.”
Covered entities will be required to submit reports of cyber incidents through an online form, and the contents of the report in the proposed rule are proscriptive. Covered entities will be required to provide all available information, including:
- An identification of the impacted systems and/or devices, including technical details and physical locations of such systems and/or devices.
- A description and timeline of the compromise.
- The impact on operations or any other additional information to help CISA assess impacts to national security and/or public health and safety.
- Description of security measures in place prior to the incident.
- Description of mitigation and actions taken in response to the incident.
In a ransom payment report, covered entities will be required to report substantially similar information to the above reporting requirements, along with information on the ransom demanded, payment instructions, payment logistics (e.g., currency and method of transmission), and information on the outcome of the payment.
Protections and record-keeping
The proposed rule provides protections to reports and responses submitted pursuant to CIRCIA. Reports and subsequent responses can be treated as commercial, financial and proprietary information of the covered entity, if property marked, and are exempt from Freedom of Information Act requests. Reports and subsequent responses also do not waive applicable privilege (including trade secret protections).
Covered entities are required to preserve data and records in relation to a submitted report, such as communications with a threat actor, indicators of compromise, relevant log entries and forensic artifacts (including data regarding the initial attack vector), data and records related to the disbursement of payment to a threat actor, and any internal and external forensic reports. Such information must be retained by the covered entity for no less than two years from the date of the report submission.
Potential liability
The proposed rule has the potential to attach significant liability for violations. CISA’s director may “refer information concerning a covered entity’s noncompliance with the reporting requirements” in relation to federal contract to the Department of Justice (DOJ) for “civil or criminal enforcement.” Given that critical infrastructure entities may be federal contractors (and subject to certain federal contracting requirements pertaining to information security), this provision and the attachment of potential criminal liability is significant.
Additionally, CISA may issue a request for information from a covered entity if CISA suspects (from public media reporting or other sources) that the covered entity has experienced a cyber incident or made a ransom payment and failed to report it to CISA. Failure to comply with a request for information, or an inadequate response, could result in a subpoena to compel the information. CISA may provide information submitted in response to a subpoena to the DOJ or another federal agency if CISA believes there may be “grounds for criminal prosecution or regulatory enforcement action.”
What comes next
CISA formally published its proposed rule to the Federal Register on April 4, 2024, giving the public 60 days to submit written feedback to the proposed rule. Companies that may fall within scope as covered entities should consider submitting comments on the proposed rule to help inform the final regulation. The notice and comment period will be lengthy, with the final CIRCIA regulation not anticipated for at least 18 months.
Conclusion
The proposed CIRCIA rules are an important step in federal regulation of cybersecurity incidents. Similar to other federal regulations regarding cyber incident reporting, CIRCIA’s aims of increasing federal awareness of cyber incidents (particularly those relating to critical infrastructure) are understandable, and the regulations certainly may prompt covered entities to reassess their cybersecurity posture and prioritize incident preparedness. However, the regulations will be most effective with input from covered entities and other stakeholders as part of the notice and comment process.