CISA has laid out the details of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), a law passed by the Biden administration in 2022 that will require critical infrastructure entities to report incidents and ransomware payment information to the agency.
The law, enacted two years ago, directs CISA to develop and implement the specific requirements tied to CIRCIA, which require companies that are part of 16 designated U.S. critical infrastructure sectors to report covered incidents within 72 hours of discovery and report ransomware payments within 24 hours of making the transaction. The agency delivered these proposed requirements this week, releasing a Notice of Proposed Rulemaking and calling for feedback from the public and private sectors within the next 60 days. CIRCIA is expected to go into effect in 2025.
“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” said CISA Director Jen Easterly in a statement this week. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats. We look forward to additional feedback from the critical infrastructure community as we move towards developing the Final Rule."
The 447-page rulemaking document lays out various specifics of CIRCIA, including what critical infrastructure entities are in scope, what constitutes an incident or ransomware attack, what kind of information reports should include, what kinds of exceptions exist for reporting and how CIRCIA will be enforced.
Overall, the agency estimated that 316,244 entities would be impacted by the proposed rule and estimated that a total of 210,525 CIRCIA reports would be submitted through 2033. CISA proposed several factors in determining covered critical infrastructure entities, including ones tied to size of the organization and ones tied to whether entities have sector-specific facilities that perform certain critical functions, for instance.
“For a number of reasons CISA believes a sensible approach is to require larger entities within a critical infrastructure sector to report cyber incidents while generally excluding smaller entities from those same reporting requirements," according to the rulemaking document.
CISA also estimated that the cost of the proposed rule would be $2.6 billion over the course of 11 years, driven by “initial costs associated with becoming familiar with the proposed rule,” as well as recurring data and records preservation requirements, and help desk calls and enforcement actions.
The long-awaited CIRCIA proposed rules come into a data reporting landscape that’s in flux. The promotion of cyber incident reporting has emerged as a priority for several agencies across the U.S. government over time, especially with high-profile ransomware attacks. An increased number of tips on incidents could help authorities support victims. But more consistent cyber incident data reporting could also translate to a fuller picture about the scope, scale and impact of ransomware attacks, which in turn could help interpret whether certain steps are effective or not in hindering cybercriminals, such as sanctions by governments.
The government has relied on regulatory policies for cyber incident reporting, but the current regulatory landscape is made up of a patchwork of different guidelines across several agencies, adding layers of complexity to the process of reporting incidents, including now the SEC’s cyber incident reporting requirements for publicly traded companies. CIRCIA, for its part, specifically applies to critical infrastructure sector entities, and the reporting will be only to CISA. Questions remain about the long-term impacts of these proposed rules, both as they relate to the defense capabilities against the threat landscape and to the critical infrastructure entities under the rule's scope, as well as the processes that CISA leverages to be able to receive, analyze and respond to reported incident data in a timely manner.
Overall, however, the hope is that “by enabling rapid identification of ongoing incidents and increased understanding of successful mitigation measures, incident reporting increases the ability of impacted entities and the Federal government to respond to ongoing campaigns faster and mitigate or minimize the consequences that could result from them,” according to CISA’s rulemaking document.