Today, April 4, 2024, Cybersecurity and Infrastructure Security Agency (“CISA”) officially published its long-awaited Notice of Proposed Rulemaking (“Proposed Rule”) for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The Proposed Rule requests written comments from the public no later than June 3, 2024. CISA will then have 18 months to promulgate a final rule which is expected to be finalized and in effect by October 2025.

CIRCIA Big Picture

CIRCIA is a significant piece of federal legislation that transforms how businesses deemed “critical infrastructure” will report cyber attacks and how that information will be shared. In the United States, 85% of critical infrastructure is owned by the private sector and is the foundation for our way of life—businesses that ensure our water runs clean, keep our planes in the sky, and power our homes, among many other essential functions. The need to secure our critical infrastructure is at an all-time high. The Proposed Rule provides 447 pages of insights on how CIRCIA is a mission critical law that will help secure our critical infrastructure. Key features of CIRCIA include:

  • Mandatory incident reporting: disclosure of covered cybersecurity incidents to CISA within 72 hours of when a covered entity reasonably believes an incident occurred
  • Reporting of ransomware payments: reporting ransomware payments to CISA within 24 hours of the payment being made
  • Data preservation: preserve data relevant to cyber incidents and ransomware payments
  • Federal information sharing: federal agencies, upon receiving a report of a cybersecurity incident, will be required to share the report with CISA within 24 hours of receipt; and CISA, in turn, is to share reports it receives with appropriate federal agencies within 24 hours

Highlights of the Proposed Rule

Although CIRCIA defines a general framework, the statute delegates rulemaking authority to CISA to implement CIRCIA’s mandatory reporting provisions. The statute directs CISA to engage in rulemaking to address (1) the types of entities that constitute covered entities, (2) the types of substantial cyber incidents that constitute covered cyber incidents, (3) the specific required contents of an incident and ransomware payment reports, (4) the types of data to be preserved in relation to cyber incidents and ransomware payments, (5) deadlines and criteria for submitting supplemental reports, and (6) procedures for the submission of reports.

1. Who Is Covered by CIRCIA?

The Proposed Rule defines a number of terms, including who is considered a “covered entity” under CIRCIA. CIRCIA applies to entities in a critical infrastructure sector (i.e., as enumerated by PPD-21) who either exceed the small business size standard (as set by the Small Business Administration) or meets any “sector based criterion” as follows:

  • Owns or operates a covered chemical facility
  • Provides wire or radio communications service
  • Owns or operates critical manufacturing sector infrastructure
  • Provides operationally critical support to the Department of Defense or processes, stores, or transmits covered defense information
  • Performs an emergency service or function
  • Owns or operates financial services sector infrastructure
  • Qualifies as a State, local, Tribal, or territorial government entity
  • Qualifies as an education facility
  • Involved with information and communications technology to support elections processes
  • Provides essential public health-related services
  • Information technology entities
  • Owns or operates a commercial nuclear power reactor or fuel cycle facility
  • Transportation system entities
  • Subject to regulation under the Maritime Transportation Security Act
  • Owns or operates a qualifying community water system or publicly owned treatment work

The Proposed Rule defines “covered entities” for some sectors that are obviously critical infrastructure—e.g., nuclear power plants and water systems. Also entities doing business with DOD and the federal government are likely to be covered. But some categories are less obvious and will require a documented analysis on whether the business falls within “critical infrastructure.” For example, “information technology entities” is an incredibly broad term. Does this include software and hardware providers? SaaS providers?  Companies that manufacture connected devices?  Businesses that are in the digital eco-system and supply chain? Managed Service Providers are mentioned in the Proposed Rule more than 33 times and will likely be considered “covered entities.”

2. What is a “Cyber incident” Under CIRCIA?

Another important question addressed by the Proposed Rule is defining the types of incident that trigger a reportable event. CISA makes it clear that minor or routine cyber incidents do not need to be reported. CISA proposes four types of impacts that would be considered a “substantial cyber incident”:

  • Impact 1: Substantial loss of confidentiality, integrity or availability of an information system or network (including operational technology “OT”).  CISA proposes a DDOS attack, ransomware attack, data exfiltration, or persistent access are likely reportable events.
  • Impact 2: Serious impact on the safety and resiliency of operational systems and processes. CISA proposes attacks that could result in the misuse of a hazardous material used in chemical manufacturing or water purification (e.g., Oldsmar water treatment plant attack) or disruption to communications service provider ability to deliver emergency alerts or 911 calls are likely reportable events.
  • Impact 3: Disruption of ability to engage in business or industrial operations, or deliver goods or services. CISA explains there are various factors that drive whether business interruption or disruption rises to the level of a reportable event and insignificant or minor events are not reportable. CISA proposes zero-day vulnerabilities resulting in extended downtime, ransomware that encrypt or disrupt industrial control systems, or DDOS attacks that prevent customers from accessing their accounts for an extended period are likely reportable events.  
  • Impact 4: Unauthorized access facilitated through or caused by a compromise to a third-party in your digital eco-system like a cloud service provider (“CSP”), managed service provider (“MSP”), data hosting provider, or supply chain compromise. This prong goes to the heart of protecting US critical infrastructure because it requires notice to CISA that it can then use to help protect other US businesses that may also be customers of the CSP, MSP, or other supply chain providers.  CISA explains that any unauthorized intrusion as a result of a supply chain compromise (e.g., SolarWinds), vulnerability in CSP or MSP are likely reportable events.

Impact 4 is without question the broadest and most far-reaching trigger for CIRCIA reporting.  This prong also requires businesses to evaluate their contracts, terms and agreements with vendors in their digital eco-system to ensure those vendors have reporting obligations to the covered entity if they discover unauthorized access or a vulnerability. CISA also explains that “cyber incident” does not include activities taken pursuant to a warrant or judicial process, good faith acquisition in response to a specific request or the lawful activities of US government entities.

3. What Do “Covered Entities” Have to Report and Disclose to CISA?

The Proposed Rule also addresses the disclosure obligations to CISA if a covered entity experiences a substantial cyber incident which includes:

  • A description of the incident, including (1) an identification of the affected systems, (2) a description of any unauthorized access, (3) dates of the incident, (4) the impact on the covered entities operations
  • Categories of information believed to have been accessed or acquired
  • A description of any vulnerabilities believed to have been exploited
  • A description of the covered entity’s security defenses in place
  • A description of the tactics and techniques used to perpetrate the incident
  • Any indicators of compromise
  • A description of and (if available) copy of any malicious software connected with the incident
  • Any identifying information concerning the threat actor
  • A description of mitigation and response activities

Given the short deadline to report cyber incidents, most of this information will likely be unknown to the victim company.  It is anticipated supplemental reporting will be required to CISA when this information is discovered.

The Proposed Rule states that a covered entity may satisfy its incident reporting obligation by reporting substantially similar information in a similar timeframe to another federal agency. The Proposed Rule requires a “CIRCIA Agreement” be in place between CISA and the receiving agency. It is unclear whether filing an IC3 report to the FBI will satisfy a CIRCIA disclosure. The timeframe and required content under other federal notification requirements are likely different from those under CIRCIA. For example, the recent SEC cybersecurity rules, while mandating a comparable reporting timeframe to CIRCIA, is less prescriptive when it comes to the nature of information required; the SEC rule simply requires that a company disclose the material aspects of the nature, scope, and timing of the incident and its material impact on the company.

Actionable Next Steps for Businesses

  • Review the Proposed Rules for Applicability. Review the Proposed Rule here to understand whether your business is a covered entity and considered “critical infrastructure.”
  • Submit Written Comments. Interested parties have until June 3, 2024 to provide written comments on CISA’s suggested implementation of CIRCIA. You can submit comments here.
  • Vendor Management. A critical and time-consuming compliance requirement is to review contracts and terms with cloud service providers, managed service providers, data hosting providers, software or hardware supply chain providers, or other third party service providers in your digital eco-system to ensure they have reporting obligations to your business if they discover unauthorized access, supply chain vulnerability, source code vulnerability, IoT vulnerability, etc.
  • Review Incident Response Plans. Organizations that may be “covered entities” should review their incident response plans and protocols to understand the impact on reporting obligations and develop a plan to operationalize CIRCIA’s reporting requirements.
  • Educate Leadership. Given this major shift in transparency and cyber disclosure obligations, critical infrastructure operators should educate leadership and key stakeholders now so they have an understanding about the new law, its impact to your business and timeline for implementation. 

We will continue to monitor and report on the CIRCIA rulemaking process. If you have any questions regarding CIRCIA or cyber readiness and resilience, don’t hesitate to contact the listed authors.

Author

Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.

Author

Cyrus Vance Jr. is a partner in Baker McKenzie's North America Litigation and Government Enforcement Practice as well as the Firm's Global Compliance and Investigations Practice. He is based in New York and serves as Global Chair of the Cybersecurity Practice.

Author

Avi Toltzis is a Knowledge Lawyer in Baker McKenzie's Chicago office.