April 15, 2024 By Jonathan Reed 2 min read

Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government.

The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). With this new document, CISA aims to enhance the government’s capacity to monitor incidents and ransomware payments.

CIRCIA was largely inspired by major attacks, such as those involving SolarWinds, a Microsoft Exchange Server and Colonial Pipeline. Now, even companies with robust cyber resilience are concerned. These incidents made it clear that the severity of infrastructure attacks was growing, which jolted the government into action.

CIRCIA rules and requirements

Before CIRCIA, Congress stated that “no one U.S. Government agency has visibility into all cyberattacks occurring against U.S. critical infrastructure on a daily basis.” CIRCIA intends to enable a coordinated, informed U.S. response to the foreign governments and criminal organizations conducting these attacks.

According to the newly released NPRM, covered critical infrastructure organizations are required to report incidents within 72 hours after an entity believes a cyberattack has occurred. Ransomware payments must be reported within 24 hours of being made. However, if payment is accompanied by an incident, the organization has 72 hours to comply with reporting.

The newly proposed guidelines state that a covered entity must report any and all ransom payments — even if the incident is not a covered cyber incident. Additionally, the new rules require a covered entity to report a ransom payment even if a third party makes the payment.

Learn more about incident response

What is a covered entity?

In general, CISA determines that covered entities are part of the 16 critical infrastructure sectors, which include:

  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Defense Industrial Base Sector
  • Emergency Services Sector
  • Energy Sector
  • Financial Services Sector
  • Food and Agriculture Sector
  • Government Facilities Sector
  • Healthcare and Public Health Sector
  • Information Technology Sector
  • Nuclear Reactors, Materials and Waste Sector
  • Transportation Systems Sector
  • Water and Wastewater Sector

Furthermore, CISA is proposing that covered entities exceed the U.S. Small Business Administration’s (SBA) small business size standard based on either the number of employees or annual revenue, depending on the industry.

What is a covered incident?

As per the NPRM, a covered incident is a substantial incident that involves a covered entity. CISA is proposing four types of impacts that would result in the incident being classified as a substantial cyber incident and, therefore, reportable. The four types of impact include:

  • Impact 1: Substantial Loss of Confidentiality, Integrity or Availability
  • Impact 2: Serious Impact on Safety and Resiliency of Operational Systems and Processes
  • Impact 3: Disruption of Ability to Engage in Business or Industrial Operations
  • Impact 4: Unauthorized Access Facilitated Through or Caused by a: (1) Compromise of a CSP, Managed Service Provider or Other Third-Party Data Hosting Provider, or (2) Supply Chain Compromise

NPRM open for discussion

Following the release of the NPRM, it’s now up to stakeholders across the critical infrastructure sectors to make comments. Are the rules too complex? What happens to substantial incidents in smaller entities? Will resources diverted to compliance requirements have a clear security benefit? These questions remain to be answered before the rules get put into action.

More from News

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

State Department releases International Cyberspace and Digital Policy Strategy

3 min read - U.S. Secretary of State Antony Blinken announced the new U.S. International Cyberspace and Digital Policy Strategy during the recent RSA Conference in San Francisco. The strategy emphasizes the role of technology in diplomacy and the urgent need to build international coalitions. “Security, stability, prosperity — they are no longer solely analog matters,” Blinken said at the conference. The new strategy focuses on “digital solidarity” not “digital sovereignty,” Blinken said, emphasizing the importance of collaboration with like-minded nations. Also mentioned was…

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today