Is your company covered by the new Cybersecurity Reporting Requirements?

Did You Know?

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires the
Cybersecurity and Infrastructure Security Agency (CISA) to implement rules governing cyber
incident and ransom payment reporting requirements for “covered entities.” The rules, aimed
at improving transparency and information sharing about major cyber incidents affecting U.S.
critical infrastructure would require that covered entities report major cyber incidents to CISA
within 72 hours and report ransom payments within 24 hours.

The Notice of proposed Rule (NPR) identifies 316,244 “covered entities” that will be required to report under the cyber incident reporting law (CIRCIA) that span various critical infrastructure sectors, reflecting the broad scope of the rule’s applicability to enhance national cybersecurity resilience. Of these “covered entities, the vast majority – approximately 310,000 – are considered “small entities” by CISA. The term ‘‘small entities’’ comprises small businesses, not-for- profit organizations that are independently owned and operated and are not dominant in their fields, and governmental jurisdictions with populations of fewer than 50,000.

CISA estimated that the average cost per covered entity experiencing a single covered cyber incident
would be $4,139.60

Sector-Based Criteria
The NPR outlines specific “sector-based” criteria for determining which entities within critical
infrastructure sectors are considered “covered entities” under the CIRCIA, including:

  • Communications: Entities providing communications services by wire or radio to the public,
    businesses, or government, including telecommunications carriers and internet service
    providers.
  • Critical Manufacturing: Entities engaged in key manufacturing industries critical to national
    security and economic stability.
  • Defense Industrial Base: Contractors and subcontractors who handle Controlled Unclassified
    Information (CUI) for the Department of Defense (DoD).
  • Emergency Services: Entities providing emergency services to populations of 50,000 or more.
  • Energy: Entities required to report incidents under NERC’s CIP Reliability Standards or the
    Electric Emergency Incident and Disturbance Report (OE-417).
  • Financial Services: Entities with significant potential impact on the nation’s economic security.
  • Government Facilities: Entities meeting criteria related to government operations, education, or
    election processes.
  • Healthcare and Public Health: Entities involved in patient services, and drug and device
    manufacturers.
  • Information Technology: Entities providing IT hardware, software, or services to the federal
    government, or involved in the development and maintenance of critical software.
  • Nuclear Reactors, Materials, and Waste: Operators of commercial nuclear power reactors or
    fuel cycle facilities.
  • Transportation Systems: Entities involved in non-maritime transportation, or operators of
    vessels and facilities related to the outer continental shelf.
  • Water and Wastewater Systems: Owners and operators of community water systems or publicly
    owned treatment works.

There are several levels (some quite significant) of penalties aimed at ensuring compliance and
maintain the integrity of critical infrastructure cybersecurity incident reporting system, including:

  • Request for Information (RFI): CISA can issue an RFI to obtain more information from the entity
    that failed to report a covered cyber incident or ransom payment.
  • Subpoena: If the response to an RFI is inadequate, CISA can issue a subpoena to compel the
    disclosure of necessary information.
  • Civil Court Action: CISA can refer the case to the Attorney General, who can pursue a civil action
    in District Court to enforce a subpoena or address potential contempt of court.
  • Suspension and Debarment: CISA can initiate procedures to suspend or debar the entity from
    federal contracts.
  • Criminal Penalties: False or fraudulent statements in reports to CISA can result in penalties
    under 18 U.S.C. § 1001, which is a criminal statute.

Additionally, entities are required to preserve relevant data and records for two years from the submission date of their report. This includes communications with threat actors, log entries, forensic images, and any data related to ransom payments.

If you believe this proposed rule would affect your business, have questions concerning its provisions
or options for compliance, CISA has provided contact information to assist small entities in
understanding this proposed rule so that they can better evaluate its effects on them and participate
in the rulemaking.

The Federal Register Notice of Proposed Rule can be found here.
The press release regarding the CISA Notice of Proposed Rule can be found here.
Visit cisa.gov/CIRCIA to learn more.