In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA).

These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must stay up to date on current reporting requirements, update reporting procedures and work to ensure they stay compliant.

Let’s look at the current changes represented under CIRCIA, and how CISOs should expect to adapt.

Other Important Resources to Understand CIRCIA

The first thing to keep in mind is that CIRCIA relies on various definitions and policies found in other resources. Initially, they may be difficult to decipher and may require some mapping and/or cross-referencing. Some of the resources are:

The law can be found on pages 2,542 to 2,581 of the Consolidated Appropriations Act.

Note: while this piece focuses on U.S.-based organizations, other regions, such as the European Union, are also taking steps to harden critical infrastructure through cyber-related certifications and additional requirements. Let’s take a look at CIRCIA’s specifics.

When is CIRCIA in Effect?

The law is in effect, but some requirements are pending. CISA will continue to define and clarify these, making CIRCIA more of a guiding document for what must be addressed. Currently, CISA has a cumulative total of 42 months to issue the rules; but nothing is stopping CISA from making the rules within a shorter time frame.

In mid-September 2022, CISA released a request for public input with a deadline of November 14, 2022. As part of this process, CISA has also scheduled public listening sessions. Therefore, it’s clear that many changes are still happening in real-time.

Of course, CISOs have a full plate as part of their daily operations; but wherever possible, impacted CISOs should try to stay up-to-date and involved.

What Defines a Covered Entity?

The first question CISOs, their peers and management will need to consider is whether they are a covered entity. Based on PPD 21 and CISA, the “Designated Critical Infrastructure Sectors” are:

  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors, Materials and Waste
  • Transportation Systems
  • Water and Wastewater Systems.

This casts a wide net with some obvious organizations (banks, hospitals, telecommunication providers, etc.), but service providers that support these industries may additionally be caught up in the net. The rulemaking process is critical and CISOs should err on the side of caution. Anyone who could be captured as a covered entity should get as involved as possible in the process.

However, some guardrails are already in place. Rulemaking should consider factors such as:

  • Consequences for national security, economic security, or public health and safety
  • Likelihood of a malicious actor attacking an entity
  • The extent of potential damage.

The exact language is located on page 2,542.

Defining Covered and Substantial Cyber Incidents

Definitions are everything. As previously noted, the U.S. Securities and Exchange Commission (SEC) issued its own rules defining cybersecurity incidents and information systems. CIRCIA will continue to do the same throughout the rulemaking process. The request for information gives insight into terms whose meaning requires finalization, including:

  • Covered cyber incident
  • Substantial cyber incident
  • Ransomware payment and ransomware attack
  • Supply chain compromise.

For example, the specific language states a “covered cyber incident” means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the director of CISA in the final rule issued pursuant to section 2242(b).

Though they are not fully clear, page 2,543 of CIRCIA does establish some guidelines for what a substantial cyber incident should consider:

  • Occurrences of substantial loss to confidentiality, integrity and availability of information systems, or serious impact to safety and resiliency of operational systems and processes
  • Disruption of business or industrial operations
  • Unauthorized access or disruption of business or industrial operations caused by third parties
  • The number of people impacted
  • Impacts on industrial control systems.

These qualifications exclude any event when the cyber event is perpetrated in good faith by an entity in response to a specific request and the threat of disruption, as described in a separate section. However, CISOs will still benefit from an additional review of existing legislation and close tracking of the rules issued.

CIRCIA Reporting Requirements

Unlike other sections of CIRCIA, reporting requirements do come with some clarity. Covered cyber incidents must be reported within 72 hours of when the covered entity “reasonably believes” the incident has occurred. Entities must also report a payment as a result of a ransomware attack within 24 hours of payment being made.

The “reasonably believes” language is key because a covered entity may not know with certainty that the covered cyber incident has occurred. CISOs should be mindful of this requirement because that “reasonable belief” can hit the start button on the 72-hour window.

Furthermore, notification alone is likely not enough. Necessary incident details include (but are not limited to):

  • Identification of systems impacted
  • Description of the attack
  • Dates and times
  • Impact on operations
  • Vulnerabilities exploited
  • Actor tactics and techniques
  • Information types impacted
  • Contact information.

Start reading on page 2,545 for further details.

Before CISOs, auditors and lawyers start panicking over the reporting, review page 2,566 for the liability protections. Protection of trade secrets, privileges, admissibility and more are covered. Still, the time is now for CISOs to start working more closely with lawyers on their teams. Keep in mind that the intent of the reports is to help support rapid response and information sharing, but penalties can still be serious.

The Next Steps Forward for CISOs

As 2022 draws to a close, the immediate step for CISOs is to stay informed, participate in the conversation and get further updates on rules and effective dates. CISOs should plan to huddle with their incident responders as soon as possible and start working through protocols and processes for internal notification, escalation and artifact collection.

Above all, remember that the cumulative total of 42 months is the maximum time to define the rules; CISA and its director may bring these into effect a whole lot sooner. Don’t be caught flat-footed.

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…