In 2025, new federal reporting requirements will require hundreds of thousands of organizations to report cyber incidents within hours of discovery to the United States Government, marking a significant impact on how organizations manage cyber incidents today. On March 27, 2024, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued its long-anticipated Notice of Proposed Rulemaking (“Proposed Rule”) comprising more than 400 pages to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022, 6 U.S.C. §§ 681-681(g) (“CIRCIA”). ^[1] CIRCIA mandated two cyber incident reporting requirements for “covered” critical infrastructure entities: (1) reporting a “covered cyber incident” within 72 hours of reasonably determining that such an incident has occurred; and (2) reporting any ransomware payment within 24 hours of it being made. Although CIRCIA established the general framework, it directed CISA to define the specific scope of these requirements. CISA’s Proposed Rule creates new expansive reporting obligations for a wide range of organizations – even companies that may not consider themselves part of critical infrastructure – to report any “substantial” cyber incident that disrupts business or industrial operations, seriously impacts the resiliency of an operational system, or causes a substantial loss of confidentiality in a network.

These unprecedented new reporting requirements will represent a sea change in how cyber incidents have historically been handled in the United States. Under the Proposed Rule, organizations will be required to electronically submit extremely detailed reports, including an initial report and supplemental reports until the incident is fully resolved, concerning every aspect of the cyber incident (i.e., technical details, access methods, impact, security controls and detection tools, timeline, forensic investigation, containment, and mitigation efforts) and preserve all evidence for a period of two years. According to CISA’s own estimates, the Proposed Rule will impact more than 300,000 companies and cost private industry approximately $1.4 billion to comply with these new rules. Further, CISA’s cost of analyzing the mandatory reported data and ensuring critical details are shared with other government agencies will likely cost taxpayers billions of dollars.

Under CIRCIA, the final rules are required to go into effect in 18 months, by October 5, 2025. The failure to comply with these new rules could result in civil enforcement actions leading to civil penalties, suspension, or debarment. Even more serious, any person that knowingly and willfully engages in a scheme to conceal information from CISA, or makes, or causes to be made, a materially false or fraudulent statement or representation in a CIRCIA report filed with CISA could face federal criminal prosecution.

Overview

Faced with increasing cyberattacks affecting critical infrastructure – most significantly, the 2021 ransomware attack that shutdown the Colonial Pipeline – CIRCIA was enacted in 2022 to improve the government’s ability to track cyber incidents and ransomware payments. Government officials have repeatedly criticized the private sector for not sharing information about cyberattacks and claimed that the lack of reporting information had stymied efforts to investigate cyber threat actors and the government’s ability to respond to cyberattacks. Over the last several years, dozens of new federal and state cybersecurity regulations have been adopted impacting certain industries and businesses, and soon companies within broadly defined critical infrastructure sectors will be impacted by massive new reporting obligations. These rules will be by far the most comprehensive and, unlike the U.S. Securities and Exchange Commission’s (“SEC”) new cybersecurity disclosure rules, the CIRCIA will require notification of cyber incidents within “hours” of discovery. They do not provide any delay mechanism for organizations to conduct a “materiality determination,” perform forensic analysis to determine the cause of the incident, or assess the severity of the intrusion.

CISA Director, Jen Easterly, has described CIRCIA as “a game changer for the whole cybersecurity community. It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.” An effective and coordinated U.S. response to cyber threats is imperative, but three aspects of CISA’s proposed regulations, however, raise serious concerns: (1) the lack of harmonization with other governmental reporting requirements such as the Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 (“DFARS 7012”); (2) the sheer volume of data that organizations will be required to report; and (3) the likelihood that the massive reporting requirements will result in CISA being inundated with voluminous data concerning serious threats, but also more minor disruptions, which have little to no impact to critical infrastructure.

Highlights of the Proposed Rule

What will the new Proposed Rule require?

Covered entities (defined below) will be required to:

• Report “substantial” cyber incidents to CISA within 72 hours of discovery by submitting a Cyber Incident Report;
• Promptly submit supplemental reports to CISA as new or updated information is learned about the cyber incident;
• Report ransom payments to CISA within 24 hours of the payment being disbursed; and
• Preserve and retain all data and records pertaining to the cyber incident or ransom payment for two years.

What is a “covered cyber incident” that triggers the reporting obligation?

The Proposed Rule defines “covered” cyber incidents as events that “actually jeopardize” information systems resulting in a “substantial” adverse impact. Covered entities would be required to report a cyber incident that leads to any of the following:

• A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
• A serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
• A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
• Unauthorized access to a covered entity’s information system or network or access to any nonpublic information stored there, which was caused or facilitated by a compromise of a cloud service provider (“CSO”), managed services provider (“MSP”), other third-party data hosting provider, or supply chain compromise. ^[2]

This definition is not limited to certain attack vectors, but rather is intended to reach any incident that meets the impact threshold regardless of how it was caused (i.e., ransomware, exploitation of zero-day vulnerability, denial-of-service attack (“DoS”), supply chain compromise).

What entities will be impacted and fall within the definition of “covered” entities?

The Proposed Rule applies to any organization that either (a) falls within one of the 16 broad critical infrastructure sectors defined in Presidential Policy Directive 21 (“PPD-21”) and exceeds the small business size standard specified for its industry in the U.S. Small Business Administration (“SBA”) regulations; ^[3] or (b) meets a sector-based criterion. ^[4]

Critical Infrastructure Sectors: PPD-21 specifically enumerates the following as critical infrastructure sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Governmental Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems.

Small Business Size: Although the standards vary by industry, the current threshold for small business status (under the SBA’s Table of Small Business Standard effective January 1, 2022) encompasses organizations that have between 1 and 1,500 employees with annual revenue between $2.25 million and $47 million.

Sector-Based Criterion: The Proposed Rule specifies that any entity regardless of size that meets one or more enumerated sector-based criteria for 13 of the 16 sectors identified in PPD-21, including:

• An entity that owns or operates a covered chemical facility subject to the Chemical Facility Anti-Terrorism Standards;
• An entity that provides wire or radio communication service to the public, business, or government;
• An entity that owns or operates a business involved in critical manufacturing;
• A defense contractor or subcontractor that provides critical support to the Department of Defense and is subject to DFARS 7012;
• An entity that performs an emergency service or function;
• An energy-related company that is required to file cybersecurity incident reports to the North American Electric Reliability Corporation or required to file emergency incident and disturbance reports to the Department of Energy;
• A financial services entity that owns or operates a bank, a federally insured credit union, facility, market, or dealer regulated by the Commodity Futures Trading Commission, or money service business;
• An institute of higher education that receives funding under Title IV of the Higher Education Act;
• A local educational agency, educational service agency, or state educational agency as with a student population equal to or greater than 1,000;
• An entity that manufactures, sells, or provides managed services for information or technology used to support elections;
• An entity that owns or operates a hospital with 100 or more beds or a critical access hospital;
• An entity that manufactures essential medicines or moderate (Class II) or high (Class III) risk devices;
• An information technology company or service provider that provides hardware, software, systems, or services to the federal government, or develops, sells, or licenses software related to or concerning access controls, the management of privileges, or trust functions;
• An original equipment manufacturer, vendor, or integrator of operational technology hardware or software components;
• An entity that owns or operates a commercial nuclear power reactor or fuel cycle facility;
• Transportation system entities such as freight and passenger railroad carriers, aircraft operators, critical pipeline facilities and systems, and maritime vessels or facilities; and
• An entity that owns or operates a community water system or publicly owned treatment works. ^[5]

In short, CISA’s proposed definition of covered entities is extremely broad and will capture companies that may not consider themselves a part of the U.S. critical infrastructure ecosystem.

What are the reporting requirements?

Within 72 hours of the discovery of a substantial cyber incident, covered entities will be required to file an Initial Report entitled “Covered Cyber Incident Report,” through a web-based portal, which contains:

• A detailed description of the cyber incident, including an identification and description of the affected systems, a description of the unauthorized access and the type of information compromised, a timeline of the incident, and the operational impact;
• The type of incident (e.g., ransomware, DoS, zero-day exploitation, supply chain compromise, phishing, spoofing) and the tactics, techniques, and procedures used by the threat actor and any associated indicators of compromise;
• A description of any vulnerabilities that were exploited as well as a description of the covered entity’s security defenses in place at the time of the incident;
• A description, and if available a copy or sample of, any malicious software connected with the incident;
• Any attribution-related information; and
• A description of mitigation and response activities, including whether law enforcement was notified and is investigating the incident. ^[6]

Additionally, covered entities will be required to file a Ransom Payment Report no later than 24 hours after the ransom payment, which is required to contain similar information. CISA is proposing that such reports include a description of the ransomware attack, the ransom payment demand and instructions, the date and amount of the ransom payment, any assistance received from any third parties, and the outcome from making the payment (e.g., decryption key supplied, exfiltrated data deleted or returned, etc.).

It is highly unlikely that covered entities will be able to provide many of the data elements CISA is seeking within hours of discovering a cyber incident has occurred. Covered entities will therefore be required to “promptly” submit supplemental reports within 24 hours of obtaining substantially new or different information about the incident, including information that was not known or available when the initial report was filed with CISA.

Covered entities may choose to have third parties submit these reports on their behalf, but they will still remain responsible for ensuring compliance with their reporting obligations under CIRCIA.

How will these rules be enforced and are there any penalties for noncompliance?

If CISA has reason to believe that a covered entity failed to report a cyber incident or ransom payment, CIRCIA authorizes the Director of CISA (“CISA Director”) to issue a request for information (“RFI”) to the covered entity. If an entity does not sufficiently respond by the deadline, the CISA Director is authorized to issue a subpoena to compel the disclosure of the requested information. The Proposed Rule allows CISA to refer matters to a regulatory agency for enforcement action or to Department of Justice for civil enforcement or criminal prosecution. Any person that knowingly and willfully makes, or causes to be made, a materially false or fraudulent statement or representation in connection with a CIRCIA report, RFI response, or reply to an administrative subpoena may face criminal penalties under 18 U.S.C. § 1001. Concealing “material” information from a federal agency where there is an obligation to disclose also could give rise to serious criminal charges.

Takeaways

As described above, once CISA’s Final Rule goes into effect to implement CIRCIA in 2025, entities that experience a cyber incident or make a ransom payment will have detailed reporting and preservation obligations.

1. Submit your comments to the Proposed Rule by June 3, 2024. On April 4, 2024, these proposed rules were published in the Federal Register. The public and interested parties have until June 3, 2024 to submit their comments. CISA is seeking input and comments on various aspects of the rules, including the proposed scope and definitions of both cyber incidents and critical infrastructure entities covered by the rules, the content of the mandatory reports, data preservation requirements, and enforcement mechanisms. Anyone that may be impacted by these rules should consider submitting comments.
2. Determine whether your organization qualifies as a “covered entity” and if it is, develop and implement compliance policies and procedures in advance of these new expansive and detailed regulatory requirements going into effect.
3. If your organization does not have an Incident Response Plan (“IRP”) or has not updated it recently, this should serve as a wake-up call to develop and maintain an IRP. An IRP will minimize damage, recovery, and the costs associated with a cyberattack by enabling an organization to quickly detect, respond, and recover from a cyber incident while also complying with their legal obligations. Under CIRCIA, covered entities will be expected to submit detailed reports about cyber incidents within “hours, not days” of discovery. Organizations should practice using their IRP by conducting tabletop exercises and ensure that its entire Incident Response Team is prepared to respond to a cyber incident.

This is for informational purposes only and is not intended to be legal advice. Please contact a member of the Cybersecurity, Privacy, & Data Protection Practice Group if you have any questions.

[1]On April 4, 2024, these draft rules were published in the Federal Register and are available at 89 Fed. Reg. 23644. See Federal Register: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements.

[2] See § 226.1 of Proposed Rule.

[3] See 13 C.F.R. Part 121.

[4] See § 226.2 of Proposed Rule.

[5] This is a high-level summary of the sector-based criteria of the Proposed Rule and does not constitute an itemized list of all of the contents of § 226.2.

[6]See Proposed Rule § 226.8.