Overview
On April 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published a Notice of Proposed Rulemaking (“the Proposal”) for cyber incident reporting for critical infrastructure on. A public comment period will last for 60 days following the publication of the Proposal.
In the Proposal, CISA seeks comment on the requirements and implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) (P.L. 117-103), which passed into law in 2022, including for certain entities to provide a report to CISA within 72 hours of a “covered cyber incident,” among other new reporting requirements.
The following provides an overview of the new requirements under the Proposal.
Background
In March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law. The legislation requires “covered entities” to provide a report to CISA within 72 hours after the entity reasonably believes a “covered cyber incident” has occurred. Furthermore, the legislation requires covered entities to provide a report within 24 hours after the entity makes a ransom payment in response to a ransomware attack. If a covered entity fails to disclose information required by CIRCIA, CISA has been authorized to take administrative enforcement actions to compel a covered entity to follow its reporting obligations. CISA is charged with implementing these reporting requirements.
Prior to the passage of CIRCIA, dozens of federal, state, local, tribal, and territorial cyber incident requirements applied to entities operating within the U.S., with more than three dozen requirements existing on the federal level alone. CIRCIA seeks to provide “one U.S. government agency [with] visibility into all cyber-attacks occurring against U.S. critical infrastructure on a daily basis.” According to the Proposal, a majority of federal cyber reporting regimes have been primarily based around national security; economic security; public health and safety; and/or the resiliency of National Critical Functions. While CIRCIA was adopted with these goals in mind, it is also centered around improving trend and threat analysis; vulnerability and mitigation assessments; the provision of early warnings; incident response and mitigation; supporting federal efforts to disrupt threat actors; and advancing cyber resiliency.
Covered Entities
CIRCIA defines the term “covered entity” as “an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21, that satisfies the definition established by the Director in the final rule issued pursuant to Section 681b(b) of this title.” The statute further required CISA to provide a “clear description” of what specific entities would meet the statute’s general definition.
Section 226.2 of the Proposal establishes two pathways to being considered a covered entity – one based on the size of the entity and the other based on sector-specific criteria. A critical infrastructure sector must only satisfy one of these pathways to be considered a covered entity. For example, an entity that exceeds size standards but does not meet sector-based criteria would still be considered a covered entity.
Size Standards
Any entity in a critical infrastructure sector that, “Exceeds the small business size standard specified by the applicable North American Industry Classification System Code in the U.S. Small Business Administration’s Small Business Size Regulations as set forth in 13 CFR part 121” shall be considered a covered entity.
Sector-Specific Criteria
Other legislative proposals seek to take a more robust approach to regulating the use and deployment of AI. Some members, such as Senator Ted Cruz (R-TX) and Senator John Thune (R-SD) believe proposals eventually spearheaded by Senate Majority Leader Chuck Schumer (D-NY) will ultimately follow this approach. Proponents of the “heavy-handed” regulatory approach believe the risks of AI technologies are too great not to set clear standards and guidance around its development, use, and procurement.
Chemical Facilities: The entity owns or operates a covered chemical facility subject to the Chemical Facility Anti-Terrorism Standards.
Communications Services: The entity provides communications services by wire or radio, as defined by the Communications Act, to the public, businesses, or government, as well as one-way services and two-way services. Such services include but are not limited to: radio and television broadcasters; cable television operators; satellite operators; telecommunications carriers; submarine cable licensees required to report outages to the Federal Communications Commission; fixed and mobile wireless service providers; voice over internet protocol providers; or internet service providers.
Critical Manufacturing: The entity owns or has business operations engaging in primary metal manufacturing; machinery manufacturing; electrical equipment, appliance, and component manufacturing; or transportation equipment manufacturing.
Defense Industrial Base: The entity is a contractor or subcontractor required to report cyber incidents to the Department of Defense in accordance with Defense Federal Acquisition Regulation Supplement requirements.
Emergency Services: The entity provides at least one of the following emergency services or functions to a population greater than or equal to 50,000 individuals: law enforcement; fire and rescue services; emergency medical services; emergency management; or public works that contribute to public health and safety.
Bulk Electric and Distribution Systems: The entity is required to report cybersecurity incidents under the North American Electric Reliability Corporation Critical Infrastructure Protection Reliability Standards or is required to file an Electric Emergency Incidence and Disturbance Report OE-417 form to the Department of Energy.
Financial Services: Entities including (i) a banking or similar organization regulated by the Office of the Comptroller of the Currency, including all national banks, federal savings associations, and federal branches and agencies of foreign banks; the Federal Reserve Board, including all U.S. bank holding companies, savings and loan holding companies, state member banks, the U.S. operations of foreign banking organizations, Edge and agreement corporations, and certain designated financial market utilities; and the Federal Deposit Insurance Corporation, including all insured state nonmember banks, insured state-licensed branches of foreign banks, and insured state savings associations; (ii) a federally insured credit union regulated by the National Credit Union Administration; (iii) a designated contract market, swap execution facility, derivatives clearing organization, or swap data repository regulated by the Commodity Futures Trading Commission; (iv) a futures market commission merchant or swap dealer regulated by the Commodity Futures Trading Commission; (v) a systems compliance and integrity entity, security-based swap dealer, or security-based swap data repository regulated by the Securities and Exchange Commission under Regulations Systems Compliance and Integrity or Regulation Security-Based Swap Regulatory Regime; (vi) a money services business; or (vii) Fannie Mae and Freddie Mac.
Governmental, Educational, and Election Entities: The entity is a state, local, tribal, or territorial government entity for a jurisdiction with a population equal to or greater than 50,000 individuals; a local educational agency with a student population of at least 1,000 students; an institute of higher education that receives funding under Title IV of the Higher Education Act; and an entity that manufactures, sells, or provides managed services for information and communications technology specifically used to support election processes on behalf of state, local, tribal, or territorial governments.
Health Care: The entity provides at least one of the following public-health services: owns or operates a hospital with at least 100 beds, or any critical access hospital; manufactures certain pharmaceuticals included in the Essential Medicines Supply Chain and Manufacturing Resilience Assessment; or manufactures a Class II or Class III medical device.
Information Technology: The entity (i) provides or supports information technology hardware, software, systems, or services to the federal government; (ii) has developed and continues to sell, license, or maintain any critical software as defined by the National Institute for Standards and Technology; (iii) is an original equipment manufacturer, vendor, or integrator of operational technology hardware or software components; or (iv) performs functions related to domain name operations.
Nuclear Energy: The entity owns or operates a commercial nuclear power reactor or fuel cycle facility licensed to operate under the regulations of the Nuclear Regulatory Commission.
Transportation: The entity is required by the Transportation Security Administration to report cyber incidents or otherwise qualifies as one of the following transportation entities: (i) a freight railroad carrier; (ii) a public transportation agency or passenger railroad; (iii) an over-the-road bus operator; (iv) a pipeline facility or system owner or operator; (v) an aircraft operator; (vi) an indirect air carrier; (vii)an airport operator; or (viii) a Certified Cargo Screening Facility.
Water Facilities: The entity owns or operates a community water system or publicly owned treatment works for a population greater than 3,300 people.
Covered Incidents
Cyber Incident
CIRCIA defines a “cyber incident” as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system”; and “(B) does not include an occurrence that imminently, but not actually, jeopardizes – (i) information on information systems; or (ii) information systems.”
In the Proposal, CISA proposes to expand this definition to mean “an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system.”
Covered Cyber Incident
CIRCIA provides CISA latitude in determining what should be considered a “covered cyber incident.” In the Proposal, CISA has defined the term to mean “all substantial cyber incidents experienced by a covered entity,” with a “substantial cyber incident” being defined as a cyber incident that leads to “(a) a substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network; (b) a serious impact on the safety and resiliency of a covered entity’s operational systems and processes; (c) a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or (d) unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud-service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.”
CISA further proposes that a substantial cyber incident include “any cyber incident regardless of cause, including, but not limited to, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; a ransomware attack; or exploitation of a zero-day vulnerability.”
Reporting Requirements
The Proposal clearly outlines the content CISA expects to be included in a Covered Cyber Incident Report. Broadly, such content includes but is not limited to:
Identification and description of the function of the affected networks, devices, and/or information systems that were, or reasonability believed to have been, affected by the covered cyber incident. This should include any technical details and physical locations of the affected entities; and whether the affected entities support elements of the intelligence community.
Description of unauthorized access, regardless of whether the covered cyber incident involved an attributed or unattributed cyber intrusion.
Date the incident was detected, the date the incident began, and the date the incident ended assuming it has been fully mitigated and resolved. The report should also clearly define the duration of suspected unauthorized system access if known or applicable.
The impact of the covered cyber incident on the covered entity’s operations, including any information related to the level of operational impact and direct economic impacts to operational any specific or suspected physical or informational impacts; and information to enable CISA’s assessment of any known impacts to national security or public health. The covered entity should also include any information on active mitigation measures; exploited vulnerabilities; and what techniques were used by the threat actors.
Covered entities that experienced a ransomware attack are subject to all the above requirements. In addition, these entities must include details of payments made; payments demanded; payment instructions; and all relevant payment amounts, dates, and currency types.
Furthermore, covered entities that experienced a ransomware attack are required to submit an applicable CIRCIA report, regardless of whether such attack is considered a “covered cyber incident.” Depending on the circumstances surrounding and timing of the ransom payment, the type of required cyber incident report may vary. Potential options include a Section 226.3(a) Covered Cyber Incident Report; a Section 226.3(b) Ransom Payment Report; or a Section 226.3(c) Joint Covered Cyber Incident and Ransom Payment Report.
Report Timing
As stated above, CISA seeks to require covered entities to report a covered cyber incident within 72 hours after it “reasonably believes” a covered cyber incident occurred, and that such event was “substantial.” Ransomware reports are due within 24 hours after any payment being made. CISA clearly states it does not intend on defining the term “reasonably believes,” rather, guidance is included in the Proposal to help covered entities understand when a “reasonable belief” is expected to have occurred.
The Proposal acknowledges covered entities may not have all the required report information within the established 72-hour or 24-hour periods and directs covered entities to submit supplemental reports to ensure previously submitted reports are materially whole and correct. The Proposal does not establish a timeline for when these supplemental reports should be filed, rather, the Proposal directs covered entities to submit these reports “promptly,” meaning “without delay or as soon as possible.” If a covered entity experiences a ransomware attack after filing its initial Covered Cyber Incident Report, the covered entity would still be subject to the 24-hour Ransom Payment Report requirement.