Federal agency CISA issues directive for essential reporting guidelines concerning critical national infrastructure
Headline: The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Takes Shape: What You Need to Know
The Cybersecurity and Infrastructure Security Agency (CISA) has posted a notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), a new law aimed at improving the response to cyber threats against critical infrastructure in the United States.
The proposed rule will require owners and operators of critical infrastructure sectors, such as utilities (including water and wastewater systems), energy, telecommunications, transportation, healthcare, and others designated as critical infrastructure under federal law, to comply with its cyber incident reporting requirements.
Key compliance details include reporting cyber incidents within 72 hours of discovery, preserving related evidence for up to two years, and reporting ransom payments within 24 hours. Smaller entities may face heavier compliance burdens, including new training and operational updates.
CISA Director Jen Easterly stated that CIRCIA will allow for better understanding of threats, earlier spotting of adversary campaigns, and more coordinated action with partners. The Act is described as a game changer for the cybersecurity community and those protecting critical infrastructure.
The rule is intended to help federal authorities share vital details with industry and government partners, with the ultimate goal of helping them better coordinate critical infrastructure threat responses.
The Department of Homeland Security posted the unpublished notice for CIRCIA on the Federal Register site for public inspection. A 60-day comment period will follow the formal publication, allowing for written responses from the public. The formal publication is scheduled for April 4.
Entities operating in sectors designated by the Department of Homeland Security as critical infrastructure will be required to comply, including bulk electric system operators and maritime entities under complementary regulations. However, it remains unclear whether entities like Change Healthcare, which was responsible for the recent attack that almost brought down the entire healthcare sector, will be included under the current framework.
More than 316,000 entities are potentially affected by the proposed rule. Analysts predict further debate about which entities will be fully required to comply under the new rule. CISA estimates the cost of the proposed rule to be $2.6 billion over the period of analysis.
In summary, CIRCIA is a significant step forward in enhancing the cybersecurity of critical infrastructure in the United States. Compliance under CIRCIA will be required from critical infrastructure owners and operators across designated sectors, entities operating systems deemed critical by DHS and covered by sector-specific regulations, and specific subsets such as bulk electric system operators and maritime entities under complementary regulations. The 60-day comment period offers an opportunity for the public to voice their opinions on the proposed rule before it is formally published.
[1] Department of Homeland Security, "Notice of Proposed Rulemaking: Cyber Incident Reporting for Critical Infrastructure Act of 2022." Federal Register. [Link to the notice] [2] Federal Energy Regulatory Commission, "Order No. 857: Reliability Standards for Bulk Electric System Cybersecurity." [Link to the order] [3] U.S. Coast Guard, "National Response Center Cybersecurity Reporting Requirements." [Link to the requirements] [4] U.S. Coast Guard, "Maritime Transportation Security Act Cybersecurity Requirements." [Link to the requirements] [5] Gartner, "UnitedHealth Group: A Central Figure in the Recent Cyberattack at Change." [Link to the article]
- The Cybersecurity and Infrastructure Security Agency (CISA)'s proposed rule for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) includes a requirement for owners and operators in various critical infrastructure sectors, such as technology companies, to report ransomware attacks within 24 hours.
- The Cybersecurity and Infrastructure Security Agency (CISA) aims to better protect critical infrastructure against ransomware attacks by requiring entities operating in these sectors, including technology companies, to report cyber incidents within 72 hours of discovery under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
