The US government is trying to standardize the reporting of cyber attacks, and they’re asking for your feedback.
The Cybersecurity and Infrastructure Security Agency (CISA) would like the public’s input on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)—a significant law aimed at improving US cybersecurity. Signed in March 2022, CIRCIA focuses on requiring CISA to develop and implement regulations ensuring covered entities report cyber incidents and ransomware payments.
The intention behind CIRCIA is to assist with “national security, economic security, and public health and safety.” It’s understandable that if more information about cyber attacks is readily available, CISA will be better able to analyze threat trends, new cyber attack tactics, and then warn potential victims of other impending attacks.
As mentioned earlier, CIRCIA is a law that requires critical infrastructure owners and operators to report cyber incidents and ransomware payments to CISA within a specified timeframe.
The act was inspired, in part, by the SolarWinds Hack—which highlighted the lack of data available to the federal government about critical infrastructure breaches. It is one of the first and most prominent steps CISA has taken towards a more regulatory role.
In April, CISA posted a set of regulations under CIRCIA to the Federal Register, allowing the public to comment on it. Days later, the U.S. Chamber of Commerce, among other industry leaders, petitioned CISA to lengthen the initial 60-day comment period. CISA went ahead and added that additional time for comment, but it’s just been extended through the beginning of July.
Under the proposed new rules, companies will have to report incidents less than 72 hours “after the covered entity reasonably believes the covered cyber incident has occurred.” They’ll also need to flag any ransomware payments within 24 hours of being made, unless payment is accompanied by an incident, in which case the organization has (can you guess?) 72 hours.
At present, CISA is finalizing the proposed regulations that define “covered cyber incidents,” and the public has until July 3 to comment. CIAA then has 18 months to finalize the regulations, and then Congress has another 60 days to review the rules before they become effective.
Per CISA, they expect that over 300,000 entities will be impacted by the bill. These entities, described as critical infrastructure organizations—ranging from energy to healthcare to the defense industrial base—will be required to report a qualifying cyber incident within 72 hours and 24 hours after they (or a third party) pay a ransom. After the initial report, they must submit updated information as information unfolds.
Qualifying incidents include incidents that impact safety, disrupt or lead to a disruption of services, and breaches carried out through third parties, e.g., cloud service providers.
CISA will then use the information it receives to assist with incident response and mitigation, trend and threat analysis, and to design and implement strategies that will improve cyber resilience on a broad scale.
CISA has made an effort to make reporting as user-friendly as possible by introducing a web form for disclosure. And to further ensure privacy on incidents, the information disclosed in CIRCIA reports will be exempted from public record requests, essentially safeguarding entities against potential civil liabilities.
CIRCIA isn’t without its critics. Some stakeholders have said that it spans too many entities and that there are too many different kinds of incidents that will require reporting. There are concerns that this could lead to CISA being overwhelmed by the volume of reports, given how frequent cyber incidents are today. In response, CISA has stated that improved data management tools and processes will be able to deal with the information more easily.
Some experts feel that the bill doesn’t go far enough, as there are many exceptions and nuances. For example, if an entity is the victim of a DDoS attack, it only needs to report the incident if it resulted in a lengthy service outage. Others question whether or not qualified entities have the financial resources or technical prowess required to implement proper security measures and detect breaches, e.g., community water systems and services.
Josh Corman, former chief strategist of CISA’s COVID Task Force, has said that the size-based criteria and sector-specific rules and exemptions may lead to gaps. In an interview, he explained that the size of an organization shouldn’t be the focus, but rather “the size of the harm to the national critical functions and critical infrastructure.”
Corman believes that CISA should have focused their rules around a list of systemically important critical entities identified by CISA, some of whom may fall outside of what is considered critical infrastructure, to maximize coverage. Under the rule, for example, hospitals with fewer than 100 beds do not have to disclose incidents. However, critical access hospitals (notably rural hospitals) are required to report.
Corman also argues that the categorization of critical infrastructure entities is flawed as it was based on a plan created in 2015.
The timeline for CIRCIA’s implementation has been another point of contention for some stakeholders in the cybersecurity community. CIRCIA was enacted in March 2022 and the deadline for publishing proposed rules outlining reporting requirements (NPRM) met as planned in April 2024.
Organizations covered by the rule potentially won’t have to start reporting cyber incidents to CISA until early 2026. As we’ve mentioned, that’s because after comments on the proposed rule close, CISA has 18 months to finalize the regulations. After that, congress will then have 60 days to review the rules before they become effective.
Some see the 24-month window for proposing rules and the additional 18 months for finalizing them as too long. This delay creates uncertainty for organizations that need to prepare for compliance. With the final rules not yet published, key definitions like “covered entity” and “covered cyber incident” remain unclear. This lack of clarity makes it difficult for impacted organizations to understand their reporting obligations. Many entities are hesitant to invest resources in compliance until they fully understand the requirements.
In an opening statement in the hearing to examine CIRCIA, Rep. Andrew Garbarino (R-NY), Chairman of the Homeland Security Committee’s cyber panel, stated, “It is imperative that we get the CIRCIA rule right. CIRCIA should serve as the standard, not another regulation standing in the way of effective cyber defense. Because it is so important we get this right, I’m encouraged to hear that CISA is granting a 30-day extension for submitting comments.”
The statement reflects the concern that the current timeline and lack of clarity might hinder, rather than help, cybersecurity efforts.
While CIRCIA’s final ruling and reporting requirements aren’t finalized yet, businesses can take proactive steps to prepare for compliance and potentially improve their overall cybersecurity posture
Regularly check CISA’s website for updates on the CIRCIA rulemaking process, including the final ruling and any clarifications on definitions. Look for guidance and best practices from industry associations related to your sector and identify systems and assets that may be considered critical infrastructure under the final CIRCIA ruling.
Develop a process for identifying potential cyber incidents that could meet the criteria for reporting under CIRCIA. This might involve setting thresholds for severity or impact. If you work with third-party vendors or service providers, discuss the potential impacts of CIRCIA on their cybersecurity practices and potential reporting obligations.
Remember: The current focus is on critical infrastructure, but the impact of CIRCIA might extend to other businesses in the future. Taking a proactive approach will not only help you prepare for CIRCIA but also strengthen your overall cybersecurity defenses in the process.