In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA).

These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must stay up to date on current reporting requirements, update reporting procedures and work to ensure they stay compliant.

Let’s look at the current changes represented under CIRCIA, and how CISOs should expect to adapt.

Other important resources to understand CIRCIA

The first thing to keep in mind is that CIRCIA relies on various definitions and policies found in other resources. Initially, they may be difficult to decipher and may require some mapping and/or cross-referencing. Some of the resources are:

The law can be found on pages 2,542 to 2,581 of the Consolidated Appropriations Act.

Note: while this piece focuses on U.S.-based organizations, other regions, such as the European Union, are also taking steps to harden critical infrastructure through cyber-related certifications and additional requirements. Let’s take a look at CIRCIA’s specifics.

When is CIRCIA in effect?

The law is in effect, but some requirements are pending. CISA will continue to define and clarify these, making CIRCIA more of a guiding document for what must be addressed. Currently, CISA has a cumulative total of 42 months to issue the rules; but nothing is stopping CISA from making the rules within a shorter time frame.

In mid-September 2022, CISA released a request for public input with a deadline of November 14, 2022. As part of this process, CISA has also scheduled public listening sessions. Therefore, it’s clear that many changes are still happening in real-time.

Of course, CISOs have a full plate as part of their daily operations; but wherever possible, impacted CISOs should try to stay up-to-date and involved.

What defines a covered entity?

The first question CISOs, their peers and management will need to consider is whether they are a covered entity. Based on PPD 21 and CISA, the “Designated Critical Infrastructure Sectors” are:

  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors, Materials and Waste
  • Transportation Systems
  • Water and Wastewater Systems.

This casts a wide net with some obvious organizations (banks, hospitals, telecommunication providers, etc.), but service providers that support these industries may additionally be caught up in the net. The rulemaking process is critical and CISOs should err on the side of caution. Anyone who could be captured as a covered entity should get as involved as possible in the process.

However, some guardrails are already in place. Rulemaking should consider factors such as:

  • Consequences for national security, economic security, or public health and safety
  • Likelihood of a malicious actor attacking an entity
  • The extent of potential damage.

The exact language is located on page 2,542.

Defining covered and substantial cyber incidents

Definitions are everything. As previously noted, the U.S. Securities and Exchange Commission (SEC) issued its own rules defining cybersecurity incidents and information systems. CIRCIA will continue to do the same throughout the rulemaking process. The request for information gives insight into terms whose meaning requires finalization, including:

  • Covered cyber incident
  • Substantial cyber incident
  • Ransomware payment and ransomware attack
  • Supply chain compromise.

For example, the specific language states a “covered cyber incident” means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the director of CISA in the final rule issued pursuant to section 2242(b).

Though they are not fully clear, page 2,543 of CIRCIA does establish some guidelines for what a substantial cyber incident should consider:

  • Occurrences of substantial loss to confidentiality, integrity and availability of information systems, or serious impact to safety and resiliency of operational systems and processes
  • Disruption of business or industrial operations
  • Unauthorized access or disruption of business or industrial operations caused by third parties
  • The number of people impacted
  • Impacts on industrial control systems.

These qualifications exclude any event when the cyber event is perpetrated in good faith by an entity in response to a specific request and the threat of disruption, as described in a separate section. However, CISOs will still benefit from an additional review of existing legislation and close tracking of the rules issued.

CIRCIA reporting requirements

Unlike other sections of CIRCIA, reporting requirements do come with some clarity. Covered cyber incidents must be reported within 72 hours of when the covered entity “reasonably believes” the incident has occurred. Entities must also report a payment as a result of a ransomware attack within 24 hours of payment being made.

The “reasonably believes” language is key because a covered entity may not know with certainty that the covered cyber incident has occurred. CISOs should be mindful of this requirement because that “reasonable belief” can hit the start button on the 72-hour window.

Furthermore, notification alone is likely not enough. Necessary incident details include (but are not limited to):

  • Identification of systems impacted
  • Description of the attack
  • Dates and times
  • Impact on operations
  • Vulnerabilities exploited
  • Actor tactics and techniques
  • Information types impacted
  • Contact information.

Start reading on page 2,545 for further details.

Before CISOs, auditors and lawyers start panicking over the reporting, review page 2,566 for the liability protections. Protection of trade secrets, privileges, admissibility and more are covered. Still, the time is now for CISOs to start working more closely with lawyers on their teams. Keep in mind that the intent of the reports is to help support rapid response and information sharing, but penalties can still be serious.

The next steps forward for CISOs

As 2022 draws to a close, the immediate step for CISOs is to stay informed, participate in the conversation and get further updates on rules and effective dates. CISOs should plan to huddle with their incident responders as soon as possible and start working through protocols and processes for internal notification, escalation and artifact collection.

Above all, remember that the cumulative total of 42 months is the maximum time to define the rules; CISA and its director may bring these into effect a whole lot sooner. Don’t be caught flat-footed.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…