The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was adopted in March of 2022 and is an outgrowth of the National Infrastructure Protection Plan (NIPP) that has been around since 2013. What this means to organizations that are covered critical infrastructure entities it that they will be required to report cyber incidents and ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) in a very short time frame. Specifically, these organizations must:
- Report any “covered cyber incident” within 72 hours of determining that the incident has occurred to the CISA
- Report issuance of a ransomware payment to the CISA within 24 hours
- Provide CISA with supplemental information when substantial or new information regarding the incident becomes available to the entity
A question that immediately occurs to one upon reading these requirements is, what is a “covered cyber incident” under CIRCIA? Covered cyber incident under this law must meet any one or all of the following criteria. A covered cyber incident causes or creates:
- “Substantial loss of confidentiality, integrity, or availability” in information systems or “serious impact on the safety and resiliency” of operations
- “Disruption of business or industrial operations,” including service denials, ransomware attacks, or exploitation of “zero-day vulnerabilities)”
- “Unauthorized access or disruption of business or industrial operations” from the loss of services facilitated through or caused by a third-party data hosting provider or supplier
What business sectors are considered critical infrastructure in the U.S.? Critical infrastructure includes the following 16 sectors:
- The Chemical sector
- The Commercial Facilities sector
- The Communications sector
- The Critical Manufacturing sector
- The Dams sector
- The Defense Industrial Base sector
- The Emergency Services sector
- The Energy sector
- The Financial Services sector
- The Food and Agriculture sector
- The Government Facilities sector
- The Healthcare and Public Health sector
- The Information Technology sector
- The Nuclear Reactors, Materials and Waste sector
- The Transportation Systems sector
- The Water and Wastewater Systems sector
So, how are you to know if your organization is included under this new law? That is being determined now by the CISA. To define a covered entity under the law, they are considering three factors:
- The consequences that a particular cyber incident might have on national or economic security, public health and safety
- The likelihood that the entity could be targeted for attack
- The extent to which an incident is likely to disrupt the reliable operation of critical infrastructure
These criteria not only cover critical infrastructure organizations, they cover organizations that support the security and resiliency of critical infrastructure.
Luckily, organizations in this sector will have some time to get ready for these new requirements. The deadline for the publication of the Notice of Proposed Rulemaking is not until March 15, 2024, and the deadline for issuance of the Final Rule is slated for September 15, 2025. My advice is to take advantage of this time and prepare!