Notification released by CISA on essential infrastructure reporting standards
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is set to reshape the nation's cybersecurity landscape, as the Cybersecurity and Infrastructure Security Agency (CISA) recently announced a proposed rule for its implementation.
The proposed rule requires critical infrastructure providers—those who own and operate systems and assets essential for national security, economic security, or public health and safety—to report significant cyber incidents and ransomware payments to the federal government within strict deadlines.
Covered entities must report cyber incidents within 72 hours of becoming aware of them, and ransomware payments within 24 hours. This is aimed at facilitating rapid government awareness and response to systemic risks posed by cyber disruptions and ransomware attacks.
The wide-ranging scope of entities includes critical infrastructure providers across sectors such as energy, water, transportation, healthcare, telecommunications, and others designated by the Department of Homeland Security and Sector Risk Management Agencies.
Under CIRCIA, entities must provide detailed information about the incident type, its impact on their operations, exploited vulnerabilities, and other relevant details as soon as practicable within the mandated 72-hour window. This information will enable the federal government to analyze and mitigate emerging cyber threats effectively.
Regarding ransomware payments, entities must report any payment made to ransomware threat actors within 24 hours of the transaction. Reporting includes details sufficient to enable government authorities to track criminal activities and develop threat intelligence.
Compliance with CIRCIA will require entities to establish clear internal processes and cyber incident response plans, maintain rapid detection and reporting capabilities, preserve evidence related to incidents for up to two years, coordinate closely with federal agencies such as CISA, and ensure training and governance structures account for these stringent timeframes and mandated disclosures.
CISA Director Jen Easterly stated that CIRCIA is a game changer for the cybersecurity community, allowing for better understanding of threats, earlier spotting of adversary campaigns, and more coordinated action with partners in response to cyber threats.
The proposed rule, which will be formally published on April 4, will open a 60-day comment period for written responses from the public. With more than 316,000 entities potentially affected, the cost of the proposed rule is estimated to be $2.6 billion over the period of analysis.
However, further debate may arise about which entities will be fully required to comply under the new rule. For instance, Change Healthcare, which brought almost the entire healthcare sector down due to their recent attack, may not fall under the current framework.
In conclusion, CIRCIA is significant for everyone invested in protecting the nation's critical infrastructure. By imposing a comprehensive framework on critical infrastructure entities, the Act emphasizes timely reporting of cyber incidents and ransomware payments to enhance national cybersecurity resilience and informed government responses.
The proposed rule under CIRCIA necessitates critical infrastructure entities to report significant cyber incidents, including ransomware attacks, to the federal government within specified deadlines, emphasizing the importance of technology in cybersecurity. Compliance with CIRCIA involves establishing internal processes, maintaining swift incident detection and reporting capabilities, and providing detailed information about the cyber incidents to the federal government for threat analysis and mitigation.
