The regulations were formulated by CISA subsequent to the enactment of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) by President Joe Biden on March 15, 2022.
With the assistance of reports from businesses across industries, officials hope to be better able to identify attack patterns and ascertain the strategies employed by cybercriminals and nation-states in order to strengthen defenses.
“CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents, and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors. The proposed rule is the result of collaboration with public and private stakeholders, and DHS welcomes feedback during the public comment period on the direction and substance of the final rule.”
Healthcare, Energy, Manufacturing, Financial
Any business that owns or operates systems that the U.S. government deems critical infrastructure, including those in the healthcare, energy, manufacturing, and financial services sectors, is subject to the regulations.
The regulations will additionally be extended to service providers and other non-critical infrastructure operators whose systems may be indispensable to a specific industry.
“Reporting from a broad range of entities is necessary to provide adequate visibility of the cyber landscape across critical infrastructure sectors, which CIRCIA is meant to facilitate,” CISA said in its 447-page draft.
Exemptions are available for small organizations that meet the criteria set forth by the Small Business Administration in terms of revenue and employee counts.
Although organizations will be obligated to disclose “substantial” cyberattacks and ransom payments within 72 and 24 hours, respectively, CISA clarifies that authorized activity leading to a cyber incident does not create a reporting requirement.
This includes errors made by third-party service providers during server configurations, provided that the disruption is not significant. Another instance of an exception is when companies explicitly authorize external contractors, such as penetration testers, to assess cyber defenses.
CISA stated that it is implementing measures to align its regulatory obligations with those of other organizations and will permit businesses to replace CIRCIA reporting with other regulations under specific conditions. In order for other regulations to be comparable in substance, CISA must enter into an interagency agreement.
If CISA suspects that a company has been the target of a cyberattack or has paid a ransom without disclosing the incident, it may issue a request for information and, if required, a subpoena to compel disclosure. If a business fails to comply with a subpoena, CISA may also elevate the case to the Attorney General for civil proceedings.
Intentional false statements made to the federal government would be punishable by imprisonment and penalties. Information provided in good faith prior to the initiation of a cyberattack that proves to be inaccurate is not considered a deceptive statement, according to CISA.
CISA Director Jen Easterly said in the press release about the proposal, “CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure.
“It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats. We look forward to additional feedback from the critical infrastructure community as we move towards developing the Final Rule.”
