A few weeks ago, I had the chance to interview our own Alex Rose, Secureworks® Director of Government Partnerships. In this interview, Alex broke down the draft rules released by CISA for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The draft rules would require all major cybersecurity incidents that hit a defined subset of critical infrastructure organizations in the United States be reported within 72 hours, and any ransom payments be reported within 24 hours. While it will take up to 18 months to finalize the proposed rules, any organization in one of the 16 critical infrastructure sectors will want to start planning now to ensure their teams — and their budgets — are aligned with the draft requirements.
Q1: What is CIRCIA?
Alex: The Cyber Incident Reporting for Critical Infrastructure Act was signed into law in 2022. It tasks CISA with developing and implementing rules for organizations in the critical infrastructure sectors to report certain types of cyber incidents and ransomware payments. As part of the formal process for creating rules, CISA published the proposed reporting requirements on April 4 and will be taking public comment on the rules until June 3, 2024. They then are required to publish final rules within 18 months after the initial draft posting.
Q2. Which industries are affected by CIRCIA?
Alex: CISA has declared 16 critical infrastructure sectors whose “assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
The 16 sectors are:
- Chemical
- Commercial Facilities
- Communications
- Critical Manufacturing
- Dams
- Defense Industrial Base
- Emergency Services
- Energy
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials and Waste
- Transportation Systems
- Water and Wastewater Systems
You can find more information on each sector on the CISA website.
Q3. Will all organizations in the sectors have to report?
Alex: No, covered entities will be determined by a size requirement and other criteria specific to the sector. The proposed rules document and the CISA website has the sector-specific plans, and it's worth noting that becoming a covered entity is not just about owning and operating critical infrastructure — there is a wide range of other factors that can give you that designation, depending on the sector. As proposed, these rules could potentially impact hundreds of thousands of businesses across the country.
Q4. What will covered entities be required to report?
Alex: The proposed rules spell out four different types of reports: one for the cyber incident that occurred, one for any type of ransom payment made, a joint report that covers both the incident and the ransom payment, and a supplemental report that will come later, likely as new information emerges and after the incident is resolved.
Currently, the proposed rules don't offer a lot of specifics on what types of incidents will need to be reported. The rules mainly focus on the concept of what constitutes a substantial cyber incident, such as a Denial of Service attack or ransomware that locks organizations out of their controls, for example. Minor disruptions are not the target of these reporting rules.
Q5. What other changes will CIRCIA bring?
Alex: One of the purposes of CIRCIA is also built around “harmonization,” meaning they have a mandate to look at all the federal rules that exist and determine where there are duplicative efforts and streamline requirements where possible. Another critical element of harmonization is to establish the right information sharing practices across sectors and government agencies so that insights can be brought together to help the cybersecurity community have a better understanding of the collective threat landscape.
Q6. What should organizations be doing now to prepare?
Alex: Organizations should begin reviewing the critical infrastructure sectors and the specific rules proposed for them, and they should take the opportunity to participate in the public comment period that ends on June 3.
Organizations should also take a look at their incident response plans and their data retention policies, especially as they prepare budgets for next year. Data retention will be an important element of the rules, and organizations should be factoring the potential cost of retention/storage should they have an incident. The rules require up to one year of data retention with these incidents. Companies should also be investing properly in their security programs now to ensure they have continuous monitoring and end-to-end detection and response capabilities. Having a robust cybersecurity plan will help organizations minimize incidents and mitigate the requirement to report on many of them.
It's also a good idea to get to know your regional CISA reps now. They have a wealth of information they can provide both now and when an incident happens, and it's better to meet them before an incident rather than in the middle of one.
It's important to approach these rules with an open mind and the understanding that they are meant to enhance the sharing of insights and information across industries so we can better protect organizations against cyberattacks. The more we can come together as a cybersecurity community, the stronger our defenses against cybercrime will be.
Based on these and other ongoing regulatory changes, if you want to review your incident response plans with our team of experts at Secureworks, please reach out to talk with a member of our team today.
*Please note that the content provided in this blog is for informational purposes only and is not intended to be legal advice. It is important for readers to consult with their own legal counsel to obtain advice specific to their situation and to ensure compliance with all applicable laws and rules.