In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, “CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors.”

While the law itself is on the books, the reporting requirements for covered entities won’t come into force until CISA completes its rulemaking process. As part of this process, the agency has released a 447-page Notice of Proposed Rulemaking (NPRM), which was opened for feedback on April 4, 2024. As of July 3, 2024, the feedback period has closed — here’s a look at what industry groups and organizations have been saying about the proposed rule, its impact and where it may come up short.

Healthcare: Concerns coalesce over duplicate requirements

Healthcare organizations are raising red flags over what they consider to be duplicate reporting requirements. Both the American Hospital Association (AHA) and the Medical Group Management Association (MGMA) are concerned that new rules under CIRCIA are effectively redundant versions of those outlined by HIPAA.

The AHA and MGMA make the argument that since healthcare agencies are already responsible for reporting breaches under the HIPAA Breach Notification Rule, similar requirements under CIRCIA will add more work with no benefit. They are especially concerned about potential penalties under the rule, which could see unreported incidents sent to the Attorney General and lead to civil actions or contempt of court charges.

According to a letter from the AHA to CISA Director Jen Easterly, “The AHA acknowledges that the spread and impact of cyber crime require the federal government to take strong actions to protect American citizens, punishing victims is counterintuitive and counterproductive.”

From the perspectives of both the AHA and MGMA, CIRCIA, in its current form, makes it more difficult for healthcare organizations to effectively respond when incidents occur. Instead of protecting patients and dealing with immediate impacts, businesses would instead have to focus on meeting multiple reporting requirements.

Critical infrastructure: Issues emerge around scope and time

Critical infrastructure agencies are also voicing their concerns about the proposed rule. According to Cybersecurity Dive, they’re worried about the time window for reporting requirements and the scope of incidents covered by CIRCIA.

Under the proposed rule, covered entities would have 72 hours to disclose a breach and just 24 hours to report any ransomware payments. Given the potential impact of infrastructure disruptions such as energy grid attacks or water treatment plant compromises, industry advocates worry that such tight reporting timelines could frustrate efforts to remediate issues and get services back up and running.

As a result, groups such as TechNet and the American Gas Association (AGA) are urging CISA to limit the scope of initial reporting requirements to only the most critical sectors of critical infrastructure providers. TechNet specifically argues that while critical functions are an integral part of infrastructure operations, not all parts of the organization are responsible for these functions. By limiting the definition of “critical,” they argue that teams will be better able to respond.

From suggestion to action

With the feedback period now closed, CISA will review industry comments and make adjustments to the NPRM they deem necessary. While there’s no word on when the final rule will be released, it probably won’t happen before 2025.

For critical infrastructure organizations, the result is a waiting game. CISA hasn’t offered any comments on the feedback or the likelihood of any proposed changes. Ideally, the final rule meets somewhere in the middle, with reporting timelines that are shorter than providers prefer but long enough that they can effectively identify incident causes and remediate key risks.