April 15, 2024 By Jonathan Reed 2 min read

Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government.

The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). With this new document, CISA aims to enhance the government’s capacity to monitor incidents and ransomware payments.

CIRCIA was largely inspired by major attacks, such as those involving SolarWinds, a Microsoft Exchange Server and Colonial Pipeline. Now, even companies with robust cyber resilience are concerned. These incidents made it clear that the severity of infrastructure attacks was growing, which jolted the government into action.

CIRCIA rules and requirements

Before CIRCIA, Congress stated that “no one U.S. Government agency has visibility into all cyberattacks occurring against U.S. critical infrastructure on a daily basis.” CIRCIA intends to enable a coordinated, informed U.S. response to the foreign governments and criminal organizations conducting these attacks.

According to the newly released NPRM, covered critical infrastructure organizations are required to report incidents within 72 hours after an entity believes a cyberattack has occurred. Ransomware payments must be reported within 24 hours of being made. However, if payment is accompanied by an incident, the organization has 72 hours to comply with reporting.

The newly proposed guidelines state that a covered entity must report any and all ransom payments — even if the incident is not a covered cyber incident. Additionally, the new rules require a covered entity to report a ransom payment even if a third party makes the payment.

Learn more about incident response

What is a covered entity?

In general, CISA determines that covered entities are part of the 16 critical infrastructure sectors, which include:

  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing Sector
  • Dams Sector
  • Defense Industrial Base Sector
  • Emergency Services Sector
  • Energy Sector
  • Financial Services Sector
  • Food and Agriculture Sector
  • Government Facilities Sector
  • Healthcare and Public Health Sector
  • Information Technology Sector
  • Nuclear Reactors, Materials and Waste Sector
  • Transportation Systems Sector
  • Water and Wastewater Sector

Furthermore, CISA is proposing that covered entities exceed the U.S. Small Business Administration’s (SBA) small business size standard based on either the number of employees or annual revenue, depending on the industry.

What is a covered incident?

As per the NPRM, a covered incident is a substantial incident that involves a covered entity. CISA is proposing four types of impacts that would result in the incident being classified as a substantial cyber incident and, therefore, reportable. The four types of impact include:

  • Impact 1: Substantial Loss of Confidentiality, Integrity or Availability
  • Impact 2: Serious Impact on Safety and Resiliency of Operational Systems and Processes
  • Impact 3: Disruption of Ability to Engage in Business or Industrial Operations
  • Impact 4: Unauthorized Access Facilitated Through or Caused by a: (1) Compromise of a CSP, Managed Service Provider or Other Third-Party Data Hosting Provider, or (2) Supply Chain Compromise

NPRM open for discussion

Following the release of the NPRM, it’s now up to stakeholders across the critical infrastructure sectors to make comments. Are the rules too complex? What happens to substantial incidents in smaller entities? Will resources diverted to compliance requirements have a clear security benefit? These questions remain to be answered before the rules get put into action.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today