New CISA Cybersecurity Incident Reporting Requirements Proposed for Critical Infrastructure Companies

On April 4, 2024, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) officially published its Notice of Proposed Rulemaking (NPRM) detailing significant new cybersecurity reporting requirements. If adopted, this proposed rule would require companies in critical infrastructure sectors to report on certain cybersecurity incidents within tight timelines: 72 hours for “substantial cybersecurity incidents,” and 24 hours for ransomware payments.

The public has until June 3, 2024 to submit comments.

Background

In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) established that covered entities must report on covered cybersecurity incidents to CISA, tasking CISA with setting the requirements via rulemaking.¹ CIRCIA specifies that covered entities must report cybersecurity incidents within 72 hours after the entity reasonably believes a covered incident has occurred, and 24 hours after making a ransomware payment, and also authorizes CISA to request information and compel information disclosure through enforcement actions.² The current cyber reporting landscape is extremely fragmented, encompassing dozens of different reporting requirements from federal, state and local sources. CIRCIA is the first federal statute supporting a “comprehensive and coordinated approach” regarding cyber incidents in critical infrastructure sectors.³ The NPRM attempts to implement CIRCIA’s requirements, establishing the categories of covered entities and covered incidents, with a goal towards enhancing cyber threat situational awareness across critical infrastructure sectors.

Types of Entities Covered

CIRCIA specifies that covered entities under the reporting requirements include entities in a critical infrastructure sector,⁴ authorizing CISA to further clarify through regulation.⁵ The NPRM lists two means for determining if a critical infrastructure entity is covered: either by size or by sector. A critical infrastructure entity is covered if it: (i) exceeds the standard for small business size set by the Small Business Administration; or (ii) meets one or more of the listed sector-based criteria, regardless of size. The sector-based criteria include:

1. Owning or operating a covered chemical facility;
2. Providing wire or radio communications service;
3. Owning or operating critical manufacturing sector infrastructure;
4. Providing operationally critical support to the Department of Defense (DoD) or processing, storing, or transmitting covered defense information;
5. Performing an emergency service or function;
6. Bulk electric and distribution system entities;
7. Owning or operating financial services sector infrastructure;
8. State, local, tribal or territorial entities;
9. Education facilities;
10. Entities involved with information and communications technology to support elections processes;
11. Providers of essential public health services;
12. Information technology entities;
13. Owners and operators of a commercial nuclear power reactor or fuel cycle facility;
14. Transportation system entities;
15. Entities subject to a regulation under the Maritime Transportation Security Act; and
16. Owners and operators of a qualifying community water system or publicly owned treatment works.⁶

CISA stressed that companies should not spend time evaluating whether or not they are a critical infrastructure entity if they meet one or more of the sector-based criteria.⁷ According to the NPRM, entities that meet the sector-based criteria are necessarily in a critical infrastructure sector.

Types of Cyber Incidents Covered

The NPRM explains that under CIRCIA, CISA is required to establish a definition for “covered cyber incident” that pertains to cyber incidents that are “substantial.”⁸ Accordingly, the NPRM proposes to define a covered cyber incident as a “substantial cyber incident experienced by a covered entity” so covered entities would only need to determine if a cyber incident is substantial to know if it has to be reported.⁹ The NPRM would define a substantial cyber incident as a cyber incident that leads to any of the following results:

• Substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
• Serious impact on the safety and resilience of a covered entity’s operational systems and processes;
• Disruption of a covered entity's ability to engage in business or industrial operations, or delivery goods or services;
• Unauthorized access to a covered entity’s information system or network or any nonpublic information they contain, that is facilitated through or caused by either a compromise of a cloud service provider or other third-party data hosting provider or supply chain compromise.¹⁰

CISA offers guidance on when an incident might meet any of these impact thresholds. It is important to keep in mind that any incident that meets one of these thresholds is reportable regardless of cause, including such causes as: (i) a compromised cloud service provider, managed services provider or other third-party data hosting provider; (ii) a supply chain compromise; (iii) a denial-of-service attack; (iv) a ransomware attack; or (v) a zero-day vulnerability exploitation, among others.¹¹

Exemptions

CISA was already required to exclude two types of incidents from the definition of covered cyber incident: (i) events where the cyber incident was perpetrated in good faith by an entity responding to a specific request by the owner or operator of the information system, and (ii) the threat of disruption as extortion.¹² The NPRM would add a third exclusion: any lawfully authorized activity by a U.S. Government or SLTT Government entity including activities undertaken pursuant to a warrant or other judicial process.¹³

Requirements

The NPRM contains requirements for different types of reporting, including initial and follow-up supplemental reports after a covered cyber incident. As previously stated, CIRCIA establishes that covered cyber incidents must be reported 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred and 24 hours after a ransom payment has been made. In the NPRM, CISA admits that this timing is subjective, and offers guidance on when a “reasonable belief” might be expected to occur, rather than an exact definition.¹⁴ As for the timing for ransomware reports, the NPRM states that payment is considered to be made upon disbursement of the payment either by the covered entity or an authorized third-party on the covered entity’s behalf. Subsequent reports are to be submitted after new information absent from the original report becomes available, or in the event the original report needs to be corrected or completed.¹⁵ 

Information covered entities would provide in reports ranges from items explicitly required by CIRCIA, to new items added by the NPRM, these include:

1. The Identity of the Covered Entity – including legal names, trade names, state of incorporation, physical address, website, and the critical infrastructure sector the entity is considered to belong to.¹⁶
2. Contact Information – such as phone numbers or email addresses, for the covered entity, their authorized agent or an authorized third party.¹⁷
3. Third Party Authorization – CISA proposes a requirement for third parties that submit reports on behalf of a covered entity to include an attestation that it is expressly authorized by the covered entity to submit the report.¹⁸
4. Description of the Covered Incident – including descriptions of the impacted systems, networks and devices along with their locations and technical specifications. CISA notes that it is also interested in whether there was unauthorized access or any informational impacts or compromises, and may pose follow-up questions for additional details.¹⁹
5. Vulnerabilities, Security Defenses, and TTPs – namely which specific products or technologies had vulnerabilities, what security controls the covered entity had, and which controls failed or were not implemented properly. CISA also proposes requiring information on the tactics, techniques, and procedures (TTPs) used to commit the incident, such as a description of the type of incident and the attack vectors at play, along with a copy or sample of any malicious software the covered entity believes is connected to the incident.²⁰
6. Information on the Identity of the Perpetrator – any information on the identity of those believed to be responsible for the covered cyber incident. CISA proposes including whether the covered entity believes they can attribute the incident and any evidence supporting that assessment as well as the entity’s level of confidence in that assessment.²¹
7. Mitigation/Response – the NPRM would add information on mitigation and response activities the covered entity takes following a covered cyber incident, including the covered entity’s assessment of the effectiveness of those activities. CISA also proposes including whether the covered entity engaged with law enforcement or had assistance from any outside parties.²²
8. Additional Information – the NPRM would add a requirement to include any other data or information as needed. CISA states that the changing nature of cyberthreats may lead to CISA identifying other information necessary to meet its obligations under CIRCIA, so CISA proposes leaving the door open for follow-up requests for information to covered entities after covered cyber incidents.²³

There are specific content requirements unique to reports on ransomware payments, such as (i) whether exfiltrated data was returned or decryption provided after payment; and (ii) details of the demand and payment rendered, like the type of currency, the payment instructions, and the amount demanded.²⁴

Enforcement

In the event a covered entity fails to report on a covered cyber incident, CIRCIA provides several different enforcement mechanisms for CISA, including: (i) issuing a request for information (RFI); (ii) issuing a subpoena; (iii) referral to the Attorney General for a civil action; and (iv) mechanisms like suspension, debarment and acquisition penalties. The NPRM notes that when evaluating potential enforcement actions, CISA will take into account the complex nature of determining if covered cyber incidents occurred, along with a covered entity’s prior interactions with CISA.²⁵

Companies should begin evaluating whether they may be considered a covered entity under the NPRM and assess potential changes to their cyber incident response strategy. If you have any questions about this proposed rule or its impact on your company, please contact a member of the Akin cybersecurity, privacy and data protection team.

^{1 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, Proposed Rule, 89 Fed. Reg. 23644 (April 4, 2024).}

^{2 Id. at 23648.}

^{3 Id. at 23649.}

^{4 Presidential Policy Directive 21 defines “entities in a critical infrastructure sector” to include the following 16 sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities,  Healthcare and Public Health, Information Technology, Nuclear Reactors Materials and Waste, Transportation Systems, Water and Wastewater Systems.}

^{5 89 Fed. Reg. 23660.}

^{6 Id. at 23767-69.}

^{7 Id. at 23703.}

^{8 Id. at 23660.}

^{9 Id. at 23661.}

^{10 Id.}

^{11 Id. at 23665.}

^{12 6 U.S.C. 681b(c)(2)(C).}

^{13 89 Fed. Reg. 23666. “SLTT” refers to: “state, local, tribal and territorial.”}

^{14 Id. at 23725.}

^{15 Id. at 23726.}

^{16 Id. at 23719.}

^{17 Id.}

^{18 Id. at 23720.}

^{19 Id.}

^{20 Id. at 23721.}

^{21 Id. at 23722.}

^{22 Id.}

^{23 Id.}

^{24 Id. at 23723-24.}

^{25 Id. at 23733.}