In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA).
These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must stay up to date on current reporting requirements, update reporting procedures and work to ensure they stay compliant.
Let’s look at the current changes represented under CIRCIA, and how CISOs should expect to adapt.
Other important resources to understand CIRCIA
The first thing to keep in mind is that CIRCIA relies on various definitions and policies found in other resources. Initially, they may be difficult to decipher and may require some mapping and/or cross-referencing. Some of the resources are:
The law can be found on pages 2,542 to 2,581 of the Consolidated Appropriations Act.
Note: while this piece focuses on U.S.-based organizations, other regions, such as the European Union, are also taking steps to harden critical infrastructure through cyber-related certifications and additional requirements. Let’s take a look at CIRCIA’s specifics.
When is CIRCIA in effect?
The law is in effect, but some requirements are pending. CISA will continue to define and clarify these, making CIRCIA more of a guiding document for what must be addressed. Currently, CISA has a cumulative total of 42 months to issue the rules; but nothing is stopping CISA from making the rules within a shorter time frame.
In mid-September 2022, CISA released a request for public input with a deadline of November 14, 2022. As part of this process, CISA has also scheduled public listening sessions. Therefore, it’s clear that many changes are still happening in real-time.
Of course, CISOs have a full plate as part of their daily operations; but wherever possible, impacted CISOs should try to stay up-to-date and involved.
What defines a covered entity?
The first question CISOs, their peers and management will need to consider is whether they are a covered entity. Based on PPD 21 and CISA, the “Designated Critical Infrastructure Sectors” are:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials and Waste
- Transportation Systems
- Water and Wastewater Systems.
This casts a wide net with some obvious organizations (banks, hospitals, telecommunication providers, etc.), but service providers that support these industries may additionally be caught up in the net. The rulemaking process is critical and CISOs should err on the side of caution. Anyone who could be captured as a covered entity should get as involved as possible in the process.
However, some guardrails are already in place. Rulemaking should consider factors such as:
- Consequences for national security, economic security, or public health and safety
- Likelihood of a malicious actor attacking an entity
- The extent of potential damage.
The exact language is located on page 2,542.
Defining covered and substantial cyber incidents
Definitions are everything. As previously noted, the U.S. Securities and Exchange Commission (SEC) issued its own rules defining cybersecurity incidents and information systems. CIRCIA will continue to do the same throughout the rulemaking process. The request for information gives insight into terms whose meaning requires finalization, including:
- Covered cyber incident
- Substantial cyber incident
- Ransomware payment and ransomware attack
- Supply chain compromise.
For example, the specific language states a “covered cyber incident” means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the director of CISA in the final rule issued pursuant to section 2242(b).
Though they are not fully clear, page 2,543 of CIRCIA does establish some guidelines for what a substantial cyber incident should consider:
- Occurrences of substantial loss to confidentiality, integrity and availability of information systems, or serious impact to safety and resiliency of operational systems and processes
- Disruption of business or industrial operations
- Unauthorized access or disruption of business or industrial operations caused by third parties
- The number of people impacted
- Impacts on industrial control systems.
These qualifications exclude any event when the cyber event is perpetrated in good faith by an entity in response to a specific request and the threat of disruption, as described in a separate section. However, CISOs will still benefit from an additional review of existing legislation and close tracking of the rules issued.
CIRCIA reporting requirements
Unlike other sections of CIRCIA, reporting requirements do come with some clarity. Covered cyber incidents must be reported within 72 hours of when the covered entity “reasonably believes” the incident has occurred. Entities must also report a payment as a result of a ransomware attack within 24 hours of payment being made.
The “reasonably believes” language is key because a covered entity may not know with certainty that the covered cyber incident has occurred. CISOs should be mindful of this requirement because that “reasonable belief” can hit the start button on the 72-hour window.
Furthermore, notification alone is likely not enough. Necessary incident details include (but are not limited to):
- Identification of systems impacted
- Description of the attack
- Dates and times
- Impact on operations
- Vulnerabilities exploited
- Actor tactics and techniques
- Information types impacted
- Contact information.
Start reading on page 2,545 for further details.
Before CISOs, auditors and lawyers start panicking over the reporting, review page 2,566 for the liability protections. Protection of trade secrets, privileges, admissibility and more are covered. Still, the time is now for CISOs to start working more closely with lawyers on their teams. Keep in mind that the intent of the reports is to help support rapid response and information sharing, but penalties can still be serious.
The next steps forward for CISOs
As 2022 draws to a close, the immediate step for CISOs is to stay informed, participate in the conversation and get further updates on rules and effective dates. CISOs should plan to huddle with their incident responders as soon as possible and start working through protocols and processes for internal notification, escalation and artifact collection.
Above all, remember that the cumulative total of 42 months is the maximum time to define the rules; CISA and its director may bring these into effect a whole lot sooner. Don’t be caught flat-footed.