In 2022, one of the consequential steps in the cybersecurity domain was the adoption of the Cyber Incident Reporting for Critical Infrastructure Act. This law is a ground-breaking measure to increase the timely reporting of major security incidents such as ransomware attacks and other cyber breaches. Cybersecurity preparedness is becoming increasingly crucial for all forms of organizations. After the enhanced dependence on computerized operations and internet-driven processes in the post-COVID era, companies are facing elevated risks and security incidents. As per a 2022 analyst report on the State of Cybersecurity and Third-Party Remote Access Risk, about 54% of business organizations faced a cyberattack in the past 12 months.
The report also highlighted that 75% of its respondents experienced a vast increase in the number of security incidents mainly due to credential theft, ransomware, DDoS, and stolen devices. There is a need, more than ever before, to improvise the virtual defense posture of different organizations. Thus, CIRCIA attempts to fill in the loopholes that delay the adequate disclosure of data security mishaps and events, particularly in critical business sectors.
This article shall help organizations to gain a better picture of the essential aspects of the recent legislation and how it can impact your business venture.
Which authority shall hold the enforcement powers under CIRCIA 2022?
The Cyber Incident Reporting for Critical Infrastructure Act empowers the Cybersecurity and Infrastructure Security Agency (CISA), which comes under the United States Department of Homeland Security, to act as an enforcer of the CIRCIA law. This act provides CISA with its first-ever enforcement powers.
When did CIRCIA 2022 officially come into effect?
Last year on March 15, president Biden officially approved the Cyber Incident Reporting for Critical Infrastructure Act as a law. This regulation is a part of the Consolidations Appropriations Act of 2022. However, it is essential to understand that the reporting compliances will only be effectively enforced once CISA implements its rulemaking process.
Which entities are liable for incident reporting under the law?
CIRCIA mandates all business entities that fall within the definition of a “covered entity” to fulfill listed reporting obligations. A covered entity is an organization operating in any of the critical infrastructure sectors that come in the nexus of the law. As stated in the CIRCIA regulations, a covered entity functions in an industry that is among the 16 critical infrastructure sectors like energy, defense, government facilities, chemical, communications, and emergency services. These sectors are outlined in the Presidential Policy Directive 21 (PPD-21). Furthermore, the CIRCIA law also recommends the CISA define a covered entity based on the following principles:
- A covered entity is an organization where the consequences of the compromise or disruption of its cyber defenses can result in issues related to national security, public safety, and economic certainty.
- The degree to which such an entity is affected by harm, interruption, or unauthorized access, including gaining sensitive information about cybersecurity vulnerabilities or utilizing penetration testing methods and techniques, has the potential to hinder the smooth functioning of essential infrastructure, and
- The probability that such types of entities may be the focus of a cyber attack, including one carried out by a foreign country, is high.
Which type of events stimulates a reporting liability under CIRCIA 2022?
As per the CIRCIA framework, a reporting obligation gets triggered on the occurrence of either a ransomware payment or a covered cyber incident.
- When we consider a covered cyber incident, a covered entity needs to report its incidence to CISA as well as the Department of Homeland Security (DHS). The reporting liability occurs when a covered entity believes reasonably that a covered cyber incident, as defined under CISA rulemaking, has happened. Covered entities must report a covered cyber incident in a span of 72 hours of its occurrence. Some examples of covered cyber incidents include Denial of service attacks that last for over 12 hours, Unauthorized system access, phishing attempts, and malicious codes.
- In the situation where a covered entity pays on account of a ransomware attack, it has to notify the CISA and DHS in not more than 24 hours post making the payment. Organizations must pay attention to the fact that CIRCIA does not put a reporting liability for payments made for other types of online extortions, apart from ransomware attacks. The reporting requirement is also applicable for any ransomware payment that does not fall within the criteria of a covered cyber incident.
What are the ways to share event information under regulation?
The Cybersecurity and Infrastructure Security Agency has set forth three mechanisms for reporting required cyber incident details:
Use the CISA incident reporting system
The CISA Incident Reporting System offers a convenient and efficient way for critical infrastructure partners to submit an incident report. The form contains various prompts to guide the reporting process.
Share on Reports@cisa.gov
For entities that have not used the CISA Incident Report System before or need to file a report quickly, they can email Reports@cisa.gov with as much information about the cyber event as possible.
Communicate via phishing-report@us-cert.gov
Additionally, covered entities can share information about phishing attempts, including phishing emails, mobile messages, and website locations, by emailing the details to phishing-report@us-cert.gov.
What are the fundamental aspects that you need to include in your incident report?
As per the CISA, the incident report that you share must comprise certain specific points as priorities for sharing information. These fundamental elements cover:
- The date and time of the incident
- The location of the incident
- The type of activity observed
- A detailed description of the event
- The number of people or systems affected
- The name of the company or organization involved
- Contact information for the relevant point of contact
- The severity of the event
- The critical infrastructure sector, if known
- Any additional parties that the victim has informed.
What are the critical milestones in the implementation of CIRCIA 2022?
The details surrounding the requirements of CIRCIA 2022 are not yet set in stone. Several key milestones are upcoming in the process.
One of the major milestones is March 15, 2024, which marks the deadline for the publication of a Notice of Proposed Rulemaking (NPRM). This signals that the initial draft of the proposed regulations is finished and that the NPRM is open for public input. For organizations with connections with ISACs, ISAOs, or government entities that may be consulted, now is an opportune time to begin engaging in dialogue and utilizing those informal networks.
Another important date to note is September 15, 2025, which is the deadline for CISA to release the Final Rule that will govern reporting and, in theory, when official implementation would commence. However, in the event of another major attack on infrastructure, there is a chance that Congress may move up this timeline.
How will the legislation secure reporting entities under its purview?
CIRCIA offers significant protections for entities that report cyber incidents or ransom payments to DHS and CISA. These protections include the following:
- Information shared by DHS and CISA from reports of covered cyber incidents or ransom payments will be anonymized to protect the identity of the victim.
- Information cannot be used in any federal, state, local, or tribal enforcement proceeding against the reporting entity.
- The government can only use the information it receives under CIRCIA for specific purposes, such as identifying and responding to cyber threats and other serious harm (such as threats of death, serious bodily harm, severe economic harm, or sexual exploitation of a child).
- Reported information is considered the reporting entity’s commercial, financial, and proprietary information when designated as such.
- Reports are exempt from disclosure under the Freedom of Information Act (FOIA).
- Providing the information to the government will not be seen as a waiver of attorney-client privilege or other applicable discovery protections, or trade secret protection.
- There will be no cause of action in any court for the submission of information under CIRCIA.
- Reports submitted under CIRCIA or any communication or material prepared for the sole purpose of preparing, drafting, or submitting a report, may not be received in evidence, subject to discovery or otherwise used in any legal proceedings.
How can business ventures brace themselves for CIRCIA 2022?
As the implementation timeline for CIRCIA is not yet fixed, it’s crucial for organizations to begin their preparations as soon as possible. Some steps that can be taken immediately include:
- Remain up-to-date: Organizations should keep themselves updated on the rulemaking process and be aware of opportunities to provide input as well as any changes to the implementation timeline.
- Begin reporting cyber incidents now: Although the reporting requirements will only be mandatory once the Final CISA Rule is issued, it is important for organizations to share information on cyber incidents with CISA voluntarily. It helps in better visibility and security, even before the CIRCIA rules become actually effective.
- Showcase proactiveness: If the requirements seem burdensome, it’s important to voice concerns and provide feedback. Issues such as the need to re-image a server to resume operations after an event, which conflicts with the need to document or preserve evidence, are important to address during the development stage.
NaviSec can be your guide in navigating through the compliances under CIRCIA 2022!
NaviSec is an ideal solution for organizations looking to comply with the new regulations under CIRCIA 2022. With its comprehensive approach to compliance, our company can guide organizations through complex requirements and ensure they are well-prepared for implementation. Whether it be through staying informed, participating in the rulemaking process, or starting to report cyber incidents, we can provide the necessary support and expertise to help organizations navigate the compliance landscape.