Disclaimer: This blog offers general information and should not be considered legal advice. Consult your own legal counsel for specific advice.<\/i><\/p>\n
The Cyber Incident Reporting for Critical Infrastructure Act of 2022<\/a> (CIRCIA) was signed into law by President Biden in 2022. Its goal is to strengthen the cybersecurity posture of the United States by establishing more robust incident reporting requirements for critical infrastructure entities. A key requirement of CIRCIA is for the Cybersecurity and Infrastructure Security Agency<\/a> (CISA) to develop regulations to implement the law.<\/p>\n On April 4, 2024<\/strong>, CISA published a Notice of Proposed Rulemaking<\/a> (NPRM), setting out such proposed regulations and seeking public input. Unless the comment period is extended, the public will have 60 days to submit written comments, and CISA will have 18 months to issue a final rule, which is anticipated to come into effect in early 2026.<\/p>\n Covered entities include any organization within critical infrastructure sectors that exceed small business size standards (based on industry-specific SBA standards<\/a>) and any entity, regardless of size, that falls into proposed sector-based criteria within a critical infrastructure sector. CISA estimates that upwards of 316,000 organizations will be considered “covered entities” under this rule.<\/p>\n The critical infrastructure sectors include:<\/p>\n CISA referenced the Presidential Policy Directive 21<\/a> for the list of these 16 critical infrastructure sectors. It elected not to propose sector-specific criteria for 3 sectors (Commercial Facilities, Dams, and Food & Agriculture). Organizations that don’t exceed the small business standards could still be subject to the rule if they meet one or more sector-specific criteria across the other 13 critical infrastructure sectors. For example, Information Technology companies providing IT hardware, software systems, or services to the federal government would fall within the requirements regardless of their size. CISA intends to publish additional guidance with the final rule to help organizations better understand whether they are part of a critical infrastructure sector. <\/p>\n A covered cyber incident is defined as a cyber incident that leads to any of the following impacts:<\/p>\n Covered entities that make a ransomware payment must also report.<\/p>\n Under the proposed rule, covered entities will be required to report to CISA within 72 hours after they reasonably believe a covered cyber incident has occurred, and within 24 hours after a ransomware payment is disbursed. There are also requirements to update these reports.<\/p>\n CISA is proposing a web-based “CIRCIA Incident Reporting Form” that they plan to make available. The report must include specific types and categories of information relating to the incident, depending on whether it is a Covered Cyber Incident Report or a Ransom Payment Report.<\/p>\n CISA indicates it will work with other federal agencies to find opportunities to reduce duplicative reporting by allowing organizations required to report similar information in similar timeframes to avoid reporting it again under CIRCIA.<\/p>\n Acknowledging the often-sensitive nature of these reports, the proposed rule states that a covered entity will not be required to waive applicable privilege or protection by submitting a report, and such reports are not subject to disclosure under public records laws such as the Freedom of Information Act.<\/p>\n Companies subject to the proposed rule should take several steps to prepare for it to become final:<\/p>\n Remember that CISA\u2019s proposed rule is open for public comment until June 3, 2024<\/strong>. Organizations can provide feedback during this period, which will be considered in developing the Final Rule<\/a>. <\/p>\n Infoblox SOC Insights allows customers to identify, monitor, and analyze threat actors and their activities on their networks. For more information, click here<\/a> or contact an Infoblox representative.<\/p>\nWho is in Scope for Reporting?<\/h3>\n
\n
What Triggers a Report?<\/h3>\n
\n
Reporting Timelines<\/h3>\n
Preparing for Compliance<\/h3>\n
\n
\n
\n
\nEarly sharing helps prevent other organizations from falling victim to similar incidents and aids in identifying trends.<\/a><\/li>\n<\/ol>\n