Filters
-
-
-
-
Professionals
Submit buttons for industry and practice area filtering
Publications
In 2025, new federal reporting requirements will require hundreds of thousands of organizations to report cyber incidents within hours of discovery to the United States Government, marking a significant impact on how organizations manage cyber incidents today. On March 27, 2024, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued its long-anticipated Notice of Proposed Rulemaking (“Proposed Rule”) comprising more than 400 pages to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022, 6 U.S.C. §§ 681-681(g) (“CIRCIA”). [1] CIRCIA mandated two cyber incident reporting requirements for “covered” critical infrastructure entities: (1) reporting a “covered cyber incident” within 72 hours of reasonably determining that such an incident has occurred; and (2) reporting any ransomware payment within 24 hours of it being made. Although CIRCIA established the general framework, it directed CISA to define the specific scope of these requirements. CISA’s Proposed Rule creates new expansive reporting obligations for a wide range of organizations – even companies that may not consider themselves part of critical infrastructure – to report any “substantial” cyber incident that disrupts business or industrial operations, seriously impacts the resiliency of an operational system, or causes a substantial loss of confidentiality in a network.
These unprecedented new reporting requirements will represent a sea change in how cyber incidents have historically been handled in the United States. Under the Proposed Rule, organizations will be required to electronically submit extremely detailed reports, including an initial report and supplemental reports until the incident is fully resolved, concerning every aspect of the cyber incident (i.e., technical details, access methods, impact, security controls and detection tools, timeline, forensic investigation, containment, and mitigation efforts) and preserve all evidence for a period of two years. According to CISA’s own estimates, the Proposed Rule will impact more than 300,000 companies and cost private industry approximately $1.4 billion to comply with these new rules. Further, CISA’s cost of analyzing the mandatory reported data and ensuring critical details are shared with other government agencies will likely cost taxpayers billions of dollars.
Under CIRCIA, the final rules are required to go into effect in 18 months, by October 5, 2025. The failure to comply with these new rules could result in civil enforcement actions leading to civil penalties, suspension, or debarment. Even more serious, any person that knowingly and willfully engages in a scheme to conceal information from CISA, or makes, or causes to be made, a materially false or fraudulent statement or representation in a CIRCIA report filed with CISA could face federal criminal prosecution.
Faced with increasing cyberattacks affecting critical infrastructure – most significantly, the 2021 ransomware attack that shutdown the Colonial Pipeline – CIRCIA was enacted in 2022 to improve the government’s ability to track cyber incidents and ransomware payments. Government officials have repeatedly criticized the private sector for not sharing information about cyberattacks and claimed that the lack of reporting information had stymied efforts to investigate cyber threat actors and the government’s ability to respond to cyberattacks. Over the last several years, dozens of new federal and state cybersecurity regulations have been adopted impacting certain industries and businesses, and soon companies within broadly defined critical infrastructure sectors will be impacted by massive new reporting obligations. These rules will be by far the most comprehensive and, unlike the U.S. Securities and Exchange Commission’s (“SEC”) new cybersecurity disclosure rules, the CIRCIA will require notification of cyber incidents within “hours” of discovery. They do not provide any delay mechanism for organizations to conduct a “materiality determination,” perform forensic analysis to determine the cause of the incident, or assess the severity of the intrusion.
CISA Director, Jen Easterly, has described CIRCIA as “a game changer for the whole cybersecurity community. It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.” An effective and coordinated U.S. response to cyber threats is imperative, but three aspects of CISA’s proposed regulations, however, raise serious concerns: (1) the lack of harmonization with other governmental reporting requirements such as the Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 (“DFARS 7012”); (2) the sheer volume of data that organizations will be required to report; and (3) the likelihood that the massive reporting requirements will result in CISA being inundated with voluminous data concerning serious threats, but also more minor disruptions, which have little to no impact to critical infrastructure.
What will the new Proposed Rule require?
Covered entities (defined below) will be required to:
What is a “covered cyber incident” that triggers the reporting obligation?
The Proposed Rule defines “covered” cyber incidents as events that “actually jeopardize” information systems resulting in a “substantial” adverse impact. Covered entities would be required to report a cyber incident that leads to any of the following:
This definition is not limited to certain attack vectors, but rather is intended to reach any incident that meets the impact threshold regardless of how it was caused (i.e., ransomware, exploitation of zero-day vulnerability, denial-of-service attack (“DoS”), supply chain compromise).
What entities will be impacted and fall within the definition of “covered” entities?
The Proposed Rule applies to any organization that either (a) falls within one of the 16 broad critical infrastructure sectors defined in Presidential Policy Directive 21 (“PPD-21”) and exceeds the small business size standard specified for its industry in the U.S. Small Business Administration (“SBA”) regulations; [3] or (b) meets a sector-based criterion. [4]
Critical Infrastructure Sectors: PPD-21 specifically enumerates the following as critical infrastructure sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Governmental Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems.
Small Business Size: Although the standards vary by industry, the current threshold for small business status (under the SBA’s Table of Small Business Standard effective January 1, 2022) encompasses organizations that have between 1 and 1,500 employees with annual revenue between $2.25 million and $47 million.
Sector-Based Criterion: The Proposed Rule specifies that any entity regardless of size that meets one or more enumerated sector-based criteria for 13 of the 16 sectors identified in PPD-21, including:
In short, CISA’s proposed definition of covered entities is extremely broad and will capture companies that may not consider themselves a part of the U.S. critical infrastructure ecosystem.
What are the reporting requirements?
Within 72 hours of the discovery of a substantial cyber incident, covered entities will be required to file an Initial Report entitled “Covered Cyber Incident Report,” through a web-based portal, which contains:
Additionally, covered entities will be required to file a Ransom Payment Report no later than 24 hours after the ransom payment, which is required to contain similar information. CISA is proposing that such reports include a description of the ransomware attack, the ransom payment demand and instructions, the date and amount of the ransom payment, any assistance received from any third parties, and the outcome from making the payment (e.g., decryption key supplied, exfiltrated data deleted or returned, etc.).
It is highly unlikely that covered entities will be able to provide many of the data elements CISA is seeking within hours of discovering a cyber incident has occurred. Covered entities will therefore be required to “promptly” submit supplemental reports within 24 hours of obtaining substantially new or different information about the incident, including information that was not known or available when the initial report was filed with CISA.
Covered entities may choose to have third parties submit these reports on their behalf, but they will still remain responsible for ensuring compliance with their reporting obligations under CIRCIA.
How will these rules be enforced and are there any penalties for noncompliance?
If CISA has reason to believe that a covered entity failed to report a cyber incident or ransom payment, CIRCIA authorizes the Director of CISA (“CISA Director”) to issue a request for information (“RFI”) to the covered entity. If an entity does not sufficiently respond by the deadline, the CISA Director is authorized to issue a subpoena to compel the disclosure of the requested information. The Proposed Rule allows CISA to refer matters to a regulatory agency for enforcement action or to Department of Justice for civil enforcement or criminal prosecution. Any person that knowingly and willfully makes, or causes to be made, a materially false or fraudulent statement or representation in connection with a CIRCIA report, RFI response, or reply to an administrative subpoena may face criminal penalties under 18 U.S.C. § 1001. Concealing “material” information from a federal agency where there is an obligation to disclose also could give rise to serious criminal charges.
As described above, once CISA’s Final Rule goes into effect to implement CIRCIA in 2025, entities that experience a cyber incident or make a ransom payment will have detailed reporting and preservation obligations.
This is for informational purposes only and is not intended to be legal advice. Please contact a member of the Cybersecurity, Privacy, & Data Protection Practice Group if you have any questions.
[1]On April 4, 2024, these draft rules were published in the Federal Register and are available at 89 Fed. Reg. 23644. See Federal Register: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements.
[2] See § 226.1 of Proposed Rule.
[3] See 13 C.F.R. Part 121.
[4] See § 226.2 of Proposed Rule.
[5] This is a high-level summary of the sector-based criteria of the Proposed Rule and does not constitute an itemized list of all of the contents of § 226.2.
[6]See Proposed Rule § 226.8.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.