August 7, 2024 By Sue Poremba 3 min read

Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis.

When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath.

In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). But because the wheels of government move slowly, it is just now in 2024 that the Cybersecurity and Infrastructure Security Agency (CISA), the agency tasked with overseeing CIRCIA, is completing the mandatory rule requirements so the law can go into effect. On April 4, CISA published a Notice of Proposed Rulemaking (NPRM), which was open for public comment until July 3, with the final rules and regulations coming no later than October 2025.

The goal of CIRCIA is to change the way entities across the critical infrastructure communicate during a cyber crisis and improve overall cyber readiness.

The 72-hour rule

CISA has designated 16 industries as critical infrastructure, which can be found here in detail. However, under CIRCIA, only 13 of the sectors will be required to follow the reporting guidelines (as of this writing, Commercial Facilities, Dams and Food and Agriculture sectors are exempted, but of course, this could change).

Under the new crisis communication guidelines, any business operating under the umbrella of one of the 13 critical infrastructure sectors, including small and mid-sized businesses, will be required to report the cyber incident to CISA within 72 hours of occurrence. Any federal agency receiving a report about a covered cyber incident will have 24 hours to share the report with CISA.

The guidelines also establish an intergovernmental Cyber Incident Reporting Council that will coordinate, deconflict and harmonize federal incident reporting requirements.

Explore incident response services

CIRCIA’s additional ransomware guidelines

Because ransomware is among the most prevalent types of attacks on critical infrastructure, CIRCIA added guidelines to help these organizations better defend themselves against ransomware attacks. They include:

  • Any organization making a ransomware payment after an attack must report it to CISA within 24 hours. CISA will share this report with other federal agencies.
  • Through the Ransomware Vulnerability Warning Pilot (RVWP) program, CISA authorizes authorities and technologies to identify systems with vulnerabilities that could lead to ransomware and alert them in a timely manner to fix the systems before an attack.

Criteria for a covered cyber incident

In addition to its reporting requirements, CIRCIA and CISA outline specific criteria on what is considered a covered cyber incident. If an incident meets these criteria, it must be reported:

  • An incident that results in substantial loss of confidentiality, integrity or availability within systems, or there is a serious impact on resiliency or safety of operations
  • An incident that disrupts business or industrial operations. This includes DoS attacks, ransomware and zero-day attacks
  • An incident that creates unauthorized access or disruption of business operations through loss of services from a third-party provider

How to prepare for CIRCIA

Even though full implementation of CIRCIA is a year away and could see changes during that time, organizations can begin to take steps to prepare for the time when they will need to report a covered incident.

It starts with learning if your organization falls under the covered sectors, and if so, familiarize yourself with the reporting guidelines.

This would be a good time to review the organization’s cybersecurity policy and implement recommendations from the NIST Cybersecurity Framework 2.0, NIST Software Supply Chain Security framework and other government cybersecurity guidance available.

The incident response team should be fully trained on the CIRCIA requirements, right along with the pre-existing incident response plan, and conduct practice runs. Incident response protocols may need to be updated to meet these requirements. If your organization doesn’t have an incident response team and plan, now is the time to pull one together.

CIRCIA rules won’t be mandatory until 2025 when the final rules go into effect, but it isn’t too early to start following the guidelines as a way to improve cybersecurity across your business and critical infrastructure.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today