In the wake of a string of high-profile cyber incidents, capped by a crippling ransomware attack on Colonial Pipeline, the US Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) to create a centralized federal government cyber incident reporting apparatus.
In March, the Cybersecurity and Infrastructure Security Agency (CISA) published a notice of proposed rulemaking (NPRM), a crucial step in establishing this new data breach reporting mechanism.
CIRCIA mandated that covered entities promptly report to CISA within 72 hours after reasonably believing that a covered cyber incident has occurred. It also stipulated that covered entities report ransom payments in response to a ransomware attack within 24 hours of making them.
The new reporting regulation emerges among a growing welter of federal and state cyber incident reporting requirements, which will remain in effect even after this comprehensive national requirement kicks in, promising to increase the already stretched workloads of most cybersecurity professionals.
However, CISA says it is committed to working with other agencies to explore options to minimize unnecessary duplication between CIRCIA’s reporting requirements and other cyber incident reporting requirements.
CISA’s proposed rules cover reporting for a myriad of incidents
In its NRPM, CISA outlines the proposed rules across 20 sections, encompassing a broad scope of cyber incidents and ransom payments covered entities must report and how the rules apply across 16 US critical infrastructure sectors.
The proposed regulation in the NPRM applies to all organizations that are not considered “small businesses” as defined by the US Small Business Administration, except for small businesses that are considered “high-risk,” such as critical access hospitals in rural areas, owners and operators of nuclear facilities, and central school districts.
In its 450-page NPRM, CISA details an array of complex rules that it will likely further refine before the final regulation is released and seeks comment from all interested parties. The following sections highlight the cornerstones of CISA’s proposed rules, distilling some of the essential features.
What incidents to report and when
CISA proposes defining a cyber incident as “an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system.”
CISA proposes to define a covered cyber incident, meaning one that must be reported under the new rules, as one that meets any of the following substantiality thresholds:
A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network.
A serious impact on the safety and resiliency of a covered entity’s operational systems and processes,
A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services.
Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.
CISA notes that these conditions apply regardless of the cause of the incident, which might include the compromise of a cloud service provider, managed service provider, or other third-party data hosting provider, a supply chain compromise, a denial-of-service attack, a ransomware attack, or exploitation of a zero-day vulnerability.
It’s important to note that an incident needs to meet only one of the four prongs, not all four of the prongs, for it to qualify as a substantial cyber incident. Moreover, CISA proposes to include all types of systems, networks, or technologies, not just those deemed critical, in determining whether a substantial incident has occurred.
How incidents should be reported
CISA is proposing the following four situations in which a covered entity must submit an incident report, also known as a CIRCIA Report:
when it experiences a covered cyber incident,
when it makes a ransom payment,
when it has another entity make a ransom payment on its behalf or,
when it acquires substantial new or different information after submitting a previous CIRCIA report.
Exceptions to these requirements include:
when a covered entity reports substantially similar information in a substantially similar timeframe to another federal agency under an existing law, regulation, or contract,
when CISA has a joint reporting agreement with another federal agency,
when an incident impacts certain covered entities related to the Domain Name System (DNS) and
when federal agencies are required by the Federal Information Security Modernization Act of 2014 (FISMA) to report incidents to CISA.
CISA proposes that a covered entity submit CIRCIA Reports after reasonably believing that a covered incident has occurred through a web-based reporting form or other ways approved by CISA’s director. All reports will require covered entities to provide basic information, including the report type, identity of the covered entity, contact information, and third-party authorization if a third party reports on behalf of a covered entity.
CISA says that a covered entity or its authorized third party should also be prepared to provide:
a description of the function of the affected information systems, networks, or devices affected, including technical details and physical locations of the impacted systems, networks, or devices,
a description of the unauthorized access with substantial loss of confidentiality, integrity, or availability of the affected information system or network or disruption of business or industrial operations,
the estimated date range of the incident,
the impact on the operations of the covered entity,
a description of the vulnerabilities exploited and security defenses in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber incident,
information on the type of incident (e.g., denial-of-service; ransomware attack; multifactor authentication interception),
indicators of compromise observed in connection with the covered cyber incident,
a description and copy or sample of any malicious software the covered entity believes is connected with the covered cyber incident and
information related to the perpetrator’s identity.
CISA is further proposing a small number of questions regarding the mitigation and response activities a covered entity is taking or has taken in response to a covered cyber incident.
How should ransom payments be reported?
CISA proposes that a covered entity or a third party acting on behalf of a covered entity submit a ransom payment report within 24 hours of making that payment. Whichever entity makes the payment must provide the following:
a description of the ransomware attack,
the vulnerabilities exploited and security defenses in place,
information on the identity of the perpetrator,
details on the ransom payment, including, where available, a screenshot or copy of the actual ransom demand.
the impact of the ransomware attack on the covered entity’s operations and
whether the covered entity requested assistance from another entity in responding to the ransomware attack or making the ransom payment, including law enforcement.
Preservation requirements and enforcement considerations
In addition to these central requirements, two other critical aspects of the NPRM are worth highlighting.
First, CISA proposes to impose two- to three-year preservation requirements on covered entities “to understand how a cyber incident was perpetrated and by whom, as well as enable data and trend analysis and the investigation of incidents.” Among these are maintaining and preserving incident records, including threat actor communications, indicators of compromise, relevant log entries, system information, forensic analysis, and more.
When it comes to enforcing the rules, CISA notes that CIRCIA provides a variety of mechanisms if it believes that a covered entity has failed to submit a CIRCIA Report under CIRCIA regulatory requirements. Among the enforcement mechanisms available to the agency are requests for information or subpoenas, referrals to the Attorney General to bring a civil action, and financial penalties, suspensions, or debarments.
Proposed rules are a ‘very solid first iteration’
The rules, intended to bolster the federal government’s visibility into the rising tide of damaging cyber incidents, will likely radically enhance how cybersecurity operates.
“CIRCIA is a game-changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” CISA director Jen Easterly said in announcing the NPRM. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats. We look forward to additional feedback from the critical infrastructure community as we move towards developing the Final Rule.”
Experts say this first effort to create a national reporting system standardized across industries is a good start. “Overall, I think it is a very solid first iteration,” Michael Daniel, president, and CEO of the Cyber Threat Alliance, tells CSO. “It appropriately captures what was in the statute. They really made a good-faith effort to incorporate some of the feedback they had already received during the process. It’s a very solid foundation, and they deserve a lot of credit for producing a rule that I think is workable.”
Daniel says there are still “questions about how this integrates with other reporting systems and how when CISA can share what’s reported through this system to other federal agencies, particularly the FBI and intel communities, lest the new rules place too great a burden on covered entities. “In my view, the burden should be on CISA and the FBI and the intelligence community to work out how CISA will pass along reported information to those entities in a way that complies with the statute and privacy rules and other things but still get those entities the intelligence that they need to pursue their missions.”
Impact and timeline of the rules
CISA estimates the proposed rules will cover 316,244 entities that collectively will submit an estimated total of 210,525 CIRCIA reports over its analysis period (2023–2033). CISA estimates the industry will incur an estimated total of $1.3 to $1.4 billion in costs, while the federal government will incur costs of $1.1 to $1.2 billion.
However, CISA stresses these costs will be offset by the unquantifiable benefits of countering damaging cyber campaigns, improved cyber vulnerability remediation, the development of more secure software, enhanced law enforcement cyber threat investigations, and more.
Although comments are due by May 3, the US Chamber of Commerce and more than twenty organizations have requested a month-long extension of the 60-day comment period, saying “the length and depth necessitate a comprehensive review process to ensure that all stakeholders fully understand its implications.”
CISA expects to publish its final rule in late 2025. However, to comply with the Administrative Procedure Act and Congressional Review Act requirements, CISA must delay the rule’s effective date for 60 days, pushing it to 2026.
Compliance, Cyberattacks, Incident Response, Legal, Ransomware, Regulation
Leave a Reply