Critical Input Needed: US Critical Infrastructure Invited to Commit to Proposed Cyber Reporting Rules
The Cybersecurity and Infrastructure Security Agency (CISA) has published a Information request (RFI) and announced “public eavesdropping” soliciting comments prior to formal rule making under the Cyber Incident Reporting for Critical Infrastructure Act 2022 (CIRCA). CIRCIA was enacted in March 2022 amid growing concern about cybersecurity threats and incidents affecting US critical infrastructure. Among other requirements, CIRCIA is asking CISA to establish a mandatory regime under which critical infrastructure entities must report (1) certain cyber incidents to CISA within 72 hours of a reasonable belief of their occurrence and (2) a ransom payment within 24 hours of payment. Entities that may belong to one of the critical infrastructure sectors are advised to consider providing information to CISA to define the scope of CIRCIA and the criteria it may make sense to adopt to reduce appropriately the scope and avoid any confusion as to who may be covered.
CIRCIA delegates broad regulatory authority to CISA, which is responsible for promulgating regulations to better define critical applicability and reporting requirements under the law. Under CIRCIA, CISA must publish a notice of proposed rulemaking by March 2024 and final rules within 18 months of the proposed rules, or no later than September 2025. critical infrastructure may consider submitting comments now to help appropriately define the scope and corresponding reporting obligations. RFI is open for comments until November 14, 2022. CISA will also be hosting a series of “public eavesdroppingfor stakeholders to provide feedback on upcoming regulations, with more than ten such sessions already announced in the United States, from September to November 2022.
CISA welcomes public comment on any topic related to upcoming regulations, and has also identified a non-exhaustive list of 32 topics of interest to CISA, including definitions and interpretations of terminology, estimates of the number reports to expect, as well as reporting triggers and requirements under the law.
The main topics open to comments include:
What is a Covered Entity?
One of the most critical definitions left to CISA rulemaking is the definition of a “covered entity” required to comply with CIRCIA requirements. CIRCIA defines a “covered entity” as an entity that falls under one of the 16 critical infrastructure sectors identified in Presidential Policy Directive 21 (PPD-21)and as further defined by regulations promulgated by the CISA.
When submitting comments, entities may wish to consider the three factors set out in CIRCIA to guide the development of CISA rules on the scope of “covered entities” for reporting purposes: (1) the consequences that a disruption or compromise of the entity could result in national security, economic security, or public health and safety; (2) the likelihood that the entity could be targeted by a malicious cyber actor; and (3) the extent to which damage, disruption, or unauthorized access to the entity could reasonably be expected to interfere with the reliable operation of the critical infrastructure.
What is a reportable incident?
CIRCIA requires Covered Entities to report a “Covered Cyber Incident” to CISA within 72 hours, and CISA invites additional comments on the definition of terms used to define incidents. A “cyber incident” is currently defined by law as an event that effectively jeopardizes, without legitimate authorization, the integrity, confidentiality or availability of information on an information system, or that jeopardizes, without legitimate authorization, an information system. But not all of these incidents will be reportable, because under CIRCIA only “substantial cyber incidents” can constitute “covered cyber incidents” subject to reporting requirements – and CISA is also seeking information on what constitutes a “substantial” incident.
Entities may wish to comment on these incident definitions to help CISA better align the definition with existing cyber incident reporting requirements and industry practices for incident tracking and reporting. Notably, the CISA RFI specifically requests comments on similarities and differences with other federal incident reporting triggers (and entities may also wish to highlight relevant national and international reporting thresholds). Entities are well advised to consider how their existing incident response processes would define and assess incidents – to better understand what the CISA reporting requirements would mean for those processes and where changes might be needed – as this may influence how entities provide information to CISA in advance of the finalization of these incident definitions.
What is ransomware attack and ransom payment?
CIRCIA requires Covered Entities to report a ransom payment to CISA within 24 hours. A “ransom payment” is defined under CIRCIA as the transmission of any money or other property or asset, including virtual currency, or any part thereof, that has at any time been given as a ransom as part of a ransomware attack. A “ransomware attack” is defined as an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of a other digital mechanism, such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability or integrity of electronic data stored on, processed by or transiting through a system information to extort a ransom payment request.
Entities may wish to comment on the definitions of “ransom payment” and “ransomware attack” to help guide the final reporting requirement.
What should trigger reporting requirements?
CISA requested detailed information on reporting requirements under CIRCIA, including when the 72-hour deadline for reporting cyber incidents and the 24-hour deadline for reporting ransom payments should begin. CISA specifically seeks comment on what should constitute a “reasonable belief” that a covered cyber incident has occurred, for example to trigger the 72-hour reporting deadline; this is likely a key question for legal counsel helping entities comply with final regulations.
Format, manner and content of reports.
Entities are encouraged to comment on the format, manner and content of reporting required for covered cyber incidents and ransom payments.
In addition to the initial cyber incident reports made within the 72-hour deadline, CISA requested feedback on the process, format, manner, and content of the additional reports. Notably, CISA sought comment on what constitutes “material new or different information” such that additional reporting would be required, as well as comment on the criteria by which a covered entity can determine that a “cyber incident coverage in question has ended and has been fully mitigated and resolved.
Harmonization with existing regulations.
CISA is also seeking comments on how best to align reporting requirements under CIRCIA with reporting obligations under applicable laws and regulations. Entities are encouraged to comment on similarities, differences and potential conflicts between the requirements of CIRCIA and the requirements of applicable laws and regulations.
Additional topics for comments.
In addition to the main areas of comment discussed above, CISA is also seeking comment on how Third Party Entities should be permitted to report on behalf of Covered Entities and how a Third Party may perform its responsibilities to notify an affected Covered Entity of its ransom payment reports. obligations. CISA further invites comments on policies, procedures and requirements related to the application of CIRCIA requirements, requests for information, protection of reporting entities and requirements for retention and retention of information, as well as any other policies, procedures or requirements that would benefit Covered Entities. .
Although not expressly mentioned in the RFI, an open question that may increase litigation risk for covered entities is whether reports submitted to the CISA will be made public.
CISA invites comments during the fall of 2022, with written comments to the RFI expected by November 14, 2022. Entities operating in critical infrastructure may wish to monitor industry comments by participating in sessions listeners, discuss potential implications with trusted advisors and industry groups, and consider providing feedback on key issues they face with upcoming regulations now, before CISA starts to calcify its position on the scope and reporting requirements under CIRCIA as part of its upcoming regulatory process.