On March 27, 2024, the U.S. Cybersecurity and Infrastructure Agency (“CISA”) unveiled an unpublished version of a Notice of Proposed Rulemaking (“NPRM”) in accordance with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The official publication of the NPRM is scheduled for April 4, 2024, with comments due by June 3, 2024. The proposed rules under CIRCIA mandate that “covered entities” report (1) “qualifying cyber incidents,” (2) ransom payments made following a ransomware attack, and (3) any significantly new or different information discovered regarding a previously submitted report to CISA. Covered entities must notify CISA within 72 hours of a qualifying cyber incident and within 24 hours if a ransomware payment is made.
CISA defines qualifying cyber incidents as those resulting in (1) a significant loss of confidentiality, integrity, or availability of a covered entity’s information system or network; (2) a severe impact on the safety and resiliency of operational systems and processes; (3) a disruption to a covered entity’s business or industrial operations; or (4) unauthorized access to a covered entity’s information system or network, including nonpublic data, facilitated by a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider, or a supply chain compromise.
Furthermore, CISA proposes that a “covered entity” encompasses entities (1) larger than small business size standards set by the U.S. Small Business Administration within a critical infrastructure sector or (2) subject to sector-specific standards that CISA intends to develop for critical infrastructure entities. CISA identifies 16 sectors as “critical infrastructure,” including chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials, waste, state, local, tribal, territorial government coordinating council, transportation systems, and water and wastewater.
In the event a covered entity encounters one of the three aforementioned reportable incidents, CISA suggests that the entity must submit reports via a web-based form, the “CIRCIA Incident Reporting Form,” accessible on the reporting page of CISA’s website. The proposed regulations grant CISA the authority to issue Requests for Information or subpoenas. Failure to comply with a subpoena might result in referral to the U.S. Attorney General for enforcement. Covered entities providing knowingly false or fraudulent statements or representations in connection with a CIRCIA Report, RFI Response, or subpoenas may face penalties.