Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government.

The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). With this new document, CISA aims to enhance the government’s capacity to monitor incidents and ransomware payments.

CIRCIA was largely inspired by major attacks, such as those involving SolarWinds, a Microsoft Exchange Server and Colonial Pipeline. Now, even companies with robust cyber resilience are concerned. These incidents made it clear that the severity of infrastructure attacks was growing, which jolted the government into action.

CIRCIA rules and requirements

Before CIRCIA, Congress stated that “no one U.S. Government agency has visibility into all cyberattacks occurring against U.S. critical infrastructure on a daily basis.” CIRCIA intends to enable a coordinated, informed U.S. response to the foreign governments and criminal organizations conducting these attacks.

According to the newly released NPRM, covered critical infrastructure organizations are required to report incidents within 72 hours after an entity believes a cyberattack has occurred. Ransomware payments must be reported within 24 hours of being made. However, if payment is accompanied by an incident, the organization has 72 hours to comply with reporting.

The newly proposed guidelines state that a covered entity must report any and all ransom payments — even if the incident is not a covered cyber incident. Additionally, the new rules require a covered entity to report a ransom payment even if a third party makes the payment.

What is a covered entity?

In general, CISA determines that covered entities are part of the 16 critical infrastructure sectors, which include:

• Chemical Sector
• Commercial Facilities Sector
• Communications Sector
• Critical Manufacturing Sector
• Dams Sector
• Defense Industrial Base Sector
• Emergency Services Sector
• Energy Sector
• Financial Services Sector
• Food and Agriculture Sector
• Government Facilities Sector
• Healthcare and Public Health Sector
• Information Technology Sector
• Nuclear Reactors, Materials and Waste Sector
• Transportation Systems Sector
• Water and Wastewater Sector

Furthermore, CISA is proposing that covered entities exceed the U.S. Small Business Administration’s (SBA) small business size standard based on either the number of employees or annual revenue, depending on the industry.

What is a covered incident?

As per the NPRM, a covered incident is a substantial incident that involves a covered entity. CISA is proposing four types of impacts that would result in the incident being classified as a substantial cyber incident and, therefore, reportable. The four types of impact include:

• Impact 1: Substantial Loss of Confidentiality, Integrity or Availability
• Impact 2: Serious Impact on Safety and Resiliency of Operational Systems and Processes
• Impact 3: Disruption of Ability to Engage in Business or Industrial Operations
• Impact 4: Unauthorized Access Facilitated Through or Caused by a: (1) Compromise of a CSP, Managed Service Provider or Other Third-Party Data Hosting Provider, or (2) Supply Chain Compromise

NPRM open for discussion

Following the release of the NPRM, it’s now up to stakeholders across the critical infrastructure sectors to make comments. Are the rules too complex? What happens to substantial incidents in smaller entities? Will resources diverted to compliance requirements have a clear security benefit? These questions remain to be answered before the rules get put into action.