by Beth Burgin Waller and Patrick J. Austin
The federal Cybersecurity and Infrastructure Security Agency (CISA) released a draft of its proposed rule detailing how covered entities operating in critical infrastructure sectors report cyberattacks and ransomware payments to the federal government. The proposed rule states that entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours after an entity reasonably believes a cyber incident has occurred and report ransom payments within 24 hours after a payment is made. The proposed Cyber Rule – hundreds of pages as drafted – adds significant requirements for those required to make a report, including a requirement that the entity preserve materials used to create the report (such as the threat actor’s ransom note, logs, and forensic artifacts) for two years. As proposed, the Rule applies to large businesses and the critical infrastructure sector alike. Failure to comply can result in an entity being subpoenaed and ultimately referred to the Department of Justice for noncompliance.
The proposed rule is scheduled to be published on the Federal Register on April 4, 2024. An unpublished version of the proposed rule may be accessed here (pdf).
CISA’s Rulemaking Authority
CISA’s rulemaking authority in the context of incident reporting obligations for critical infrastructure entities stems from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was signed into law by President Biden in March 2022 as part of the Consolidated Appropriations Act of 2022. CIRCIA stipulated that CISA’s director had to publish proposed rules implementing reporting requirements within 24 months of CIRCIA’s enactment, or no later than March 2024. Hence, the release of the proposed rule.
The final CIRCIA rule must be published within 18 months of the proposed rules, or by no later than September 2025.
Applicability
The Rule captures a wide swath of entities and businesses based on two different criteria: size or sector. Under the size threshold, it appears a business could be captured within the Rule’s ambit by size alone and without a direct connection to a critical infrastructure sector. Inversely, a small entity that falls within the defined sector would have a reporting obligation, no matter their size.
Regarding size, if an entity “exceeds the small business size standard specified by the applicable North American Industry Classification System Code in the U.S. Small Business Administration’s Small Business Size Regulations as set forth in 13 CFR part 121” then they will be categorized as a covered entity under the proposed rule.
Regarding the sector-based criterion, entities operating in the following critical infrastructure sectors who meet specific thresholds will be categorized as a covered entity under the proposed rule:
- Critical manufacturing
- Emergency services (e.g., law enforcement, fire and rescue, emergency medical services, etc.)
- Energy
- Education
- Financial Services
- State, local, Tribal, or territorial governments
- Public health
- Information technology
- Nuclear reactors, materials, and waste
- Transportation systems
- Water and wastewater systems
- Chemical facilities, Communications, including wire or radio communications services
“Substantial” Cyber Incident Triggers Reporting Obligation
According to § 226.1 of the proposed rule, a cyber incident triggering reporting obligations under the proposed rule includes “substantial” cyber incidents experienced by a covered entity. The proposed rule defines “substantial” cyber incident to mean a cyber incident that leads to any of the following:
- A substantial loss of confidentiality, integrity or availability of a covered entity’s information system or network;
- A serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
- A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services;
- Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by the following: (a) a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; or (b) a supply chain compromise.
- A “substantial cyber incident” resulting in the impacts listed in (1) through (3) above in this includes any cyber incident regardless of cause, including, but not limited to, any of the above incidents caused by a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; a ransomware attack; or exploitation of a zero-day vulnerability.
The term “substantial cyber incident” does not include:
- Any lawfully authorized activity of a United States Government entity or State, local, Tribal, or territorial government entity, including activities undertaken pursuant to a warrant or other judicial process;
- Any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system; or
- The threat of disruption as extortion, as described in 6 U.S.C. 650(22).
Incident Reporting Requirements
There are multiple reporting requirements described in the proposed rule, including the need for covered entities to submit a “CIRCIA Report” and/or a “Covered Cyber Incident Report.” If a covered entity was subjected to a ransomware attack and paid a ransom, the covered entity must submit a ransomware payment report. If a covered entity is reporting a covered cyber incident and a ransom payment was made, then a “Joint Covered Cyber Incident and Ransom Payment Report” may be filed, according to § 226.10 of the proposed rule.
CIRCIA Reports
According to § 226.6 of the proposed rule, a covered entity must submit a “CIRCIA Report” to CISA using a web-based CIRCIA Incident Reporting Form accessible on CISA’s website.
A covered entity must provide the following types of information in the CIRCIA Report, to the extent such information is available and applicable to the event reported:
- Identification of the type of CIRCIA Report submitted by the covered entity.
- Information relevant to establishing the covered entity’s identity, including the covered entity’s full legal name, state of incorporation or formation; entity type; physical address; website, the critical infrastructure sector or sectors in which the covered entity considers itself to be included.
- Contact information, including the full name, email address, telephone number, and title for the following individuals: (i) the person submitting the CIRCIA Report on behalf of the covered entity; (ii) a point of contact for the covered entity if the covered entity uses a third party to submit the CIRCIA Report or would like to designate a preferred point of contact that is different from the individual submitting the report; and (iii) a registered agent for the covered entity, in the event neither the individual submitting the CIRCIA Report nor the designated preferred point of contact are a registered agent for the covered entity.
If a covered entity uses a third party to submit a CIRCIA Report on the covered entity’s behalf, then an attestation must be filed stating that the third party is authorized by the covered entity to submit the CIRCIA Report on the covered entity’s behalf.
Covered Cyber Incident Reports
In addition to CIRCIA Reports, § 226.7 of the proposed rule has a separate set of requirements for “Covered Cyber Incident Reports.” In effect, a covered entity must provide all the information described above in the CIRCIA Report section AND the following information, to the extent such information is available and applicable to the covered cyber incident:
- A description of the covered cyber incident and the category, or categories, of any information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person or persons;
- A description of any vulnerabilities exploited;
- A description of the covered entity’s security defenses in place, including but not limited to any controls or measures that resulted in the detection or mitigation of the incident;
- A description of the type of incident and the tactics, techniques, and procedures used to perpetrate the covered cyber incident;
- Any indicators of compromise observed in connection with the covered cyber incident;
- A description and, if retained, a copy or samples of any malicious software the covered entity believes is connected with the covered cyber incident;
- Any identifying information of the threat actor, or threat actors, reasonably believed by the covered entity to be responsible for the covered cyber incident; and
- A description of any mitigation and response activities taken by the covered entity in response to the covered cyber incident.
Additionally, ransom payments must be separately reported within 24 hours of being made.
Exceptions to Incident Reporting Obligations
According to § 226.4 of the proposed rule, there are three exceptions that apply to reporting on covered cyber incidents and ransom payments: (1) the “substantially similar reporting” exception; (2) the Domain Name System exception; and (3) the FISMA report exception. Examining each exception:
For most entities reporting incidents, the “substantially similar reporting” exception will be the primary exception to be reviewed and considered. That exception states that a covered entity that reports a covered cyber incident, ransom payment, or information that must be submitted to CISA in a supplemental report to another Federal agency pursuant to the terms of a CIRCIA Agreement will satisfy the covered entity’s reporting obligation. It is important to note that CISA retains discretion to determine what constitutes substantially similar information for the purposes of this part. In general, in making this determination, CISA will consider whether the specific fields of information reported by the covered entity to another Federal agency are functionally equivalent to the fields of information required to be reported in CIRCIA Reports.
The other two exceptions, covering the domain name system exception and the FISMA report exception, apply to entities such as ICANN and federal agencies, exempting them from the reporting rules.
Data Preservation Obligations
CIRCIA requires that covered entities preserve data related to the covered cyber incidents or ransom payments that they report under the law. Under the proposed rule, entities that report an incident through CIRCIA will need to retain the data used to file the report for at least two years. According to§ 226.13 of the proposed rule, types of data and records subject to the two-year preservation requirement include the following:
- Any communications with a threat actor, including copies of actual correspondence, notes taken during any interactions, and so forth;
- Indicators of compromise;
- Relevant log entries and forensic artifacts;
- Data and information that may help identify how a threat actor compromised or potentially compromised an information system;
- System information that may help identify exploited vulnerabilities;
- Information about any exfiltrated data;
- All data or records related to the disbursement or payment of any ransom payment, including but not limited to pertinent records from financial accounts associated with the ransom payment; and
- Any forensic or other reports concerning the incident, whether internal or prepared for the covered entity by a cybersecurity company or other third-party vendor.
Subpoena Power
According to § 226.14(c) of the proposed rule, CISA is authorized to issue “information requests” to covered entities “if there is reason to believe that the entity experienced a covered cyber incident or made a ransom payment but failed to report the incident or payment.”
Specifically, CISA is empowered to issue a subpoena to compel information disclosure and can refer the inquiry to the U.S. Department of Justice if an entity fails to comply. In addition, noncompliance could lead to contracting suspensions with DHS.
The proposed rule states that the “reason to believe” a covered entity failed to submit a CIRCIA Report “may be based upon public reporting or other information in possession of the Federal Government, which includes but is not limited to analysis performed by CISA.”
Looking Ahead
Once the proposed rule is formally published, a 60-day public comment period is likely to follow. Upon closure of the public comment period, the proverbial clock will begin to tick on the 18-month timeframe imposed by CIRCIA for CISA to publish a final rule (i.e., around September 2025). Please note that the incident reporting requirements described above do not go into effect until the final implementing rules are in place.
Beth Burgin Waller is a Principal and Patrick J. Austin is Of Counsel at Woods Rogers Vandeventer Black PLC.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).