On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency (CISA) posted a Notice of Proposed Rulemaking (NPRM) that would establish national cyber incident and ransom payment reporting requirements, as mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The lengthy NPRM establishes a 72-hour agency reporting deadline for covered cyber incidents and a 24-hour reporting deadline for ransomware payments while expanding the types of entities subject to such reporting requirements.
Businesses will have until June 3, 2024 to submit comments.
Covered Entities
The NPRM borrows CIRCIA’s definition of a covered entity, which encompasses entities within 16 critical infrastructure sectors[1] as specified in Presidential Policy Directive 21 (PPD-21). In addition to falling within one of those sixteen enumerated critical infrastructure categories, a covered entity must either: (1) exceed small business metrics calculated by the Small Business Administration; or (2) satisfy sector-based criteria designed to apply reporting requirements to small businesses in certain critical infrastructure sectors.[2] Due to the ambiguities in the definitions of critical infrastructure sectors, the proposed regulation has the potential to cast a broad net, sweeping in a large number of entities as CISA considers whether the draft regulations apply to a range of entities.
Covered Cyber Incidents
CISA’s proposed definition for “covered cyber incidents” is significant because it is broader than what would otherwise be defined as a reportable incident. Notably, other regulatory regimes, such as state data breach notification laws, are narrowly tailored to trigger reporting obligations based on the type of data compromised. Here, the NPRM includes incidents involving confidentiality, integrity, and availability impacts to critical infrastructure within the proposed scope.
Only covered cyber incidents trigger reporting requirements under CIRCIA. While CIRCIA defines cyber incident and substantial cyber incidents, CIRCIA mandates CISA to propose a definition for covered cyber incident. In the NPRM, CISA defines “covered cyber incidents” as substantial cyber incidents that lead to any of the following:
- a substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
- a serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
- a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
- unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.
- any cyber incident, including but not limited to, a compromise of a cloud service provider, managed service provider, third-party data hosting provider, a supply chain, or a denial-of-service attack, a ransomware attack, or an exploitation of zero-day vulnerability.
Exceptions to Covered Cyber Incidents
In the NPRM, CISA also extends the list of exceptions to the definition of covered cyber incident contained in CIRCIA, to include lawfully authorized activity of a United States Government entity or state, local, tribal, or territorial (SLTT) Government entity, authorized security vulnerability or penetration testing, or a threatened denial of service. Businesses should refer to the NPRM for examples of cyber incidents that would and would not qualify as covered cyber incidents.
Short Reporting Timelines & Requirements
The NPRM proposes four types of reports (collectively, “CIRCIA Reports”) with differing reporting requirements: (1) Covered Cyber Incident Report; (2) Ransom Payment Report; (3) Supplemental Reports; and (4) a Joint Covered Cyber Incident and Ransom Payment Report. The reporting timelines imposed by the proposed regulations resemble those of European regulators (per the GDPR) and are likely to challenge business teams as they simultaneously prioritize containment and reporting.
- Covered Cyber Incident Report: Covered entities must report covered cyber incidents to CISA within 72 hours after the covered entity reasonably believes the covered cyber security incident has occurred. In the report, covered entities must describe incident details, such as information system affected, degree of compromise, and an estimated date range for the incident.
- Ransom Payment Report: Covered entities must report any ransom payments made in response to a ransomware attack within 24 hours after the ransom payment has been made. Ransom Payment Reports must describe the ransomware attack and provide details, including but not limited to, any identifying or contact information associated with the threat actor, the amount of the payment, the date of the payment, and any result of the payment.
- Joint Covered Cyber Incident and Ransom Payment Report: Covered entities may elect to submit a covered incident report and ransom payment report simultaneously.
- Supplemental Report: Covered entities must submit any updates or supplements to a previously submitted covered cyber incident report if (1) substantial new or different information becomes available to the covered entity; or (2) the covered entity makes a ransom payment after the covered entity has submitted a Covered Cyber Incidental Report.
A covered entity has the option of submitting the report itself or through a third-party, such as an incident response company, insurance provider, or law firm, and may include any additional, optional information in the report. Pursuant to CIRCIA, CISA must develop a web-based form through which covered entities may submit CIRCIA Reports.
The NPRM does not require a covered entity to notify CISA if the covered entity believes the covered cyber incident has been fully mitigated and resolved. Regardless of whether the covered entity is required to submit a CIRCIA report, the covered entity must preserve data related to a covered cyber incident or ransomed payment for a minimum of two years from the CIRCIA reporting deadline.
Exceptions to the Reporting Requirement
A covered entity may forego submitting a CIRCIA Report if the covered entity is legally required to report substantially similar information within a substantially similar timeframe to another federal agency with whom CISA has an information sharing agreement. In addition, certain types of entities are exempted from reporting requirements. Reporting obligations do not apply to: (1) covered entities that are owned, operated, or governed by multi-stakeholder organizations that develop, implement, and enforce policies concerning the Domain Name System; or (2) federal agencies that are otherwise required to report the covered cyber incident to CISA pursuant to the Federal Information Security Act of 2002. For many organizations, the NPRM will likely require CIRCIA Reports in addition to other regulatory reporting obligations.
CISA Authority to Issue Legal Demands
Under the NPRM, the Director of CISA or a designee may issue requests for information if CISA believes (1) the covered entity has failed to report a covered cyber incident or ransom payment; or (2) a report is deficient or otherwise noncompliant. The NPRM grants the Director additional nondelegable subpoena power, which the Director may use if the Director believes an entity has not submitted a CIRCIA report when required or has failed to adequately comply with a request for information within 72 hours.
Enforcement
If an entity does not comply with valid legal demands from CISA, CISA may refer the matter to the Department of Justice (DOJ), so that DOJ may decide whether to prosecute the covered entity. If DOJ determines an entity knowingly and willfully makes materially false or fraudulent statements or representations in a CIRCIA Report or response to a legal demand from CISA, DOJ may impose penalties, including a fine or imprisonment of up to 8 years.
Protections
CISA offers a number of legal protections for covered entities that comply with proposed reporting requirements. In the NPRM, CISA suggests restricting disclosure of information contained in CIRCIA reports by designating certain information as proprietary and exempting CIRCIA Report data from FOIA disclosure. CISA also proposes barring waiver of privilege and prohibiting waiver of ex parte communications. Finally, and most importantly, the NPRM instructs courts to immediately dismiss any causes of action arising from a properly filed CIRCIA Report or response that adequately answers a CISA legal demand. This shield against suit mimics a practice adopted by some regulators of treating regulated entities with leniency if the entity has engaged in good faith participation with regulatory inquiries.
[1] PPD-21 enumerates the following 16 sectors as “critical infrastructure”: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems
[2] The NPRM imposes sector specific criteria for 13 critical infrastructure sectors: Chemical; Communications; Critical Manufacturing; Defense Industrial Base; Emergency Services; Energy; Financial Services; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems.
