The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 is a US federal law that requires all critical infrastructure entities to report any cybersecurity incidents or ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within a specified timeframe.
It was signed into law by President Biden and the US federal government in March 2022 against growing concerns of high-profile cyber attacks on critical infrastructure providers in the United States and a series of attacks related to Russia’s invasion of Ukraine. CIRCIA comes at the heels of the US government’s enhanced focus on improving the country’s overall cybersecurity following Biden’s Executive Order on Improving the Nation’s Cybersecurity.
The goal of CIRCIA is to allow CISA sufficient time to provide support and resources for the affected industries and victims, while using the reports to analyze potential attack trends across industries and share that information with potential targets in the critical infrastructure sector. As such, the bigger picture is to gain stronger visibility into the scope of cyber threats and fully understand cyber risks in today’s cybersecurity landscape.
What are the Cyber Incident Reporting Requirements of CIRCIA?
There are two main reporting obligations that covered entities must follow:
- Covered entities that experience a covered cyber incident must report the incident to CISA within 72 hours after the entity has reasonable belief that an incident has occured.
- If the covered cyber incident also qualifies as a ransomware attack, the covered entity must report the incident to CISA within 24 hours if a ransomware payment has been made.
The 72-hour reporting deadline is initiated from the moment of “reasonable belief” that a cyber incident has occurred. However, CISA must determine the exact moment of “reasonable belief,” whether it applies on the confirmation of a cyber incident or the occurrence of potential cyber incident. Once determined, organizations must report cyber incidents to CISA in accordance with the defined rule.
Once CISA has received reports of a cyber incident, the must share the reports with the corresponding federal agencies within 24 hours. If a federal agency receives the report before it is reported to CISA, they must also share the report with CISA within 24 hours.
In these incident reports, organizations must include necessary incident details, including:
- Type and number of systems impacted
- Type of information or data impacted
- Comprehensive description of the attack or security breach
- Date and time of occurence
- Scope of the impact on operations
- Specific vulnerabilities that were exploited
- Tactics and techniques used in the attack
- Contact information
From these initiatives, there are three main initiatives that are derived from the legislation:
- Cyber Incident Reporting Council - The Department of Homeland Security (DHS) must establish and chair the intergovernmental Cyber Incident Reporting Council to “coordinate, deconflict, and harmonize federal incident reporting requirements.”
- Joint Ransomware Task Force - The Joint Ransomware Task Force is part of an ongoing nationwide campaign against ransomware attacks launched by CISA. As part CIRCIA, CISA will continue these efforts in collaboration with the Federal Bureau of Investigation (FBI) and the National Cyber Director.
- Ransomware Vulnerability Warning Pilot Program - CISA is tasked with creating a pilot program that can develop processes and procedures for identifying informations in critical infrastructure that have security vulnerabilities commonly associated with ransomware attacks and notify the system owners accordingly.
NOTE: CIRCIA will not take effect until the Final Rule is published and the reporting requirements are finalized. However, CISA still strongly recommends all critical infrastructure organizations to report any cyber incidents.
What is Considered a Cyber Incident?
A cyber incident is any event where an organization’s systems, network, or data have been breached, compromised, exposed, jeopardized, or illegally accessed by malicious actors.
CISA currently defines a “covered cyber incident” as a substantial cyber incident experienced by a covered entity. Covered entities include all organizations under the legislation, which under CIRICA includes all organizations within the critical infrastructure sectors.
In addition, CIRCIA establishes guidelines for what is considered a “substantial cyber incident,” including:
- Substantial loss or damages to the confidentiality, integrity, and availability of information systems
- Substantial impact to the safety or resiliency of operational systems and processes
- Significant business or industrial disruptions
- Any instance of a ransomware payment or ransomware attack
- Unauthorized access leading to business disruptions caused by third parties
- Supply chain compromise
Who Must Comply With CIRCIA?
Under CIRCIA, all “covered entities” in critical infrastructure sectors must comply with the new reporting requirements. In some cases, third-party service providers for these industries may also be liable to comply with CIRCIA. Critical infrastructure entities can include both private and public businesses in the following industries:
- Commercial facilities
- Critical manufacturing
- Defense industrial base
- Emergency services
- Financial services
- Food and agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Water and wastewater systems
Request for Information (RFI) on CIRCIA
As part of the rulemaking process, CIRCIA also has an active RFI to receive public input as CISA continues to to develop and implement the regulations set by the new law. In the RFI, CISA is required to provide specific and accurate definitions of:
- The meaning of “covered entity”
- The number of total entities organized by industry or sector
- The meaning of “covered cyber incident”
- The similarities and differences of the definition of “covered cyber incidents” in comparison with the definition of the term under other existing federal regulations
- The meaning of “substantial cyber incident”
- The meaning of “ransom payment” and “ransomware attack”
- The number of ransomware payments likely to be made by covered entities on an annual basis
- The meaning of “supply chain compromise”
- Any other term that requires clarification within CIRCIA
- What constitutes “reasonable belief,” which triggers the 72-hour reporting deadline
- The criteria for when a ransom payment is considered finalized, triggering the 24-hour reporting deadline
- How covered entities should submit their cyber incident and ransom payment reports
- How third parties should submit their supplemental reports
- The criteria for determining if an entity is a multi-stakeholder organization
CIRCIA also requires the Director of CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the date of enactment (by March 2024). An NPRM is an official public notice that outlines the federal agency’s plan to address a specific problem or accomplish a goal.
The Director’s Final Rule also must be published within 18 months of the NPRM (by September 2025). The Final Rule is the final step of the rulemaking process, in which the proposed rules are advanced to the final stages of publication in the Federal Register. The publication of the Final Rule also establishes the effective date for CIRCIA.