New CISA Cybersecurity Incident Reporting Requirements Proposed for Critical Infrastructure Companies

April 22, 2024

Reading Time : 7 min

On April 4, 2024, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) officially published its Notice of Proposed Rulemaking (NPRM) detailing significant new cybersecurity reporting requirements. If adopted, this proposed rule would require companies in critical infrastructure sectors to report on certain cybersecurity incidents within tight timelines: 72 hours for “substantial cybersecurity incidents,” and 24 hours for ransomware payments.

The public has until June 3, 2024 to submit comments.

Background

In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) established that covered entities must report on covered cybersecurity incidents to CISA, tasking CISA with setting the requirements via rulemaking.1 CIRCIA specifies that covered entities must report cybersecurity incidents within 72 hours after the entity reasonably believes a covered incident has occurred, and 24 hours after making a ransomware payment, and also authorizes CISA to request information and compel information disclosure through enforcement actions.2 The current cyber reporting landscape is extremely fragmented, encompassing dozens of different reporting requirements from federal, state and local sources. CIRCIA is the first federal statute supporting a “comprehensive and coordinated approach” regarding cyber incidents in critical infrastructure sectors.3 The NPRM attempts to implement CIRCIA’s requirements, establishing the categories of covered entities and covered incidents, with a goal towards enhancing cyber threat situational awareness across critical infrastructure sectors.

Types of Entities Covered

CIRCIA specifies that covered entities under the reporting requirements include entities in a critical infrastructure sector,4 authorizing CISA to further clarify through regulation.5 The NPRM lists two means for determining if a critical infrastructure entity is covered: either by size or by sector. A critical infrastructure entity is covered if it: (i) exceeds the standard for small business size set by the Small Business Administration; or (ii) meets one or more of the listed sector-based criteria, regardless of size. The sector-based criteria include:

  1. Owning or operating a covered chemical facility;
  2. Providing wire or radio communications service;
  3. Owning or operating critical manufacturing sector infrastructure;
  4. Providing operationally critical support to the Department of Defense (DoD) or processing, storing, or transmitting covered defense information;
  5. Performing an emergency service or function;
  6. Bulk electric and distribution system entities;
  7. Owning or operating financial services sector infrastructure;
  8. State, local, tribal or territorial entities;
  9. Education facilities;
  10. Entities involved with information and communications technology to support elections processes;
  11. Providers of essential public health services;
  12. Information technology entities;
  13. Owners and operators of a commercial nuclear power reactor or fuel cycle facility;
  14. Transportation system entities;
  15. Entities subject to a regulation under the Maritime Transportation Security Act; and
  16. Owners and operators of a qualifying community water system or publicly owned treatment works.6

CISA stressed that companies should not spend time evaluating whether or not they are a critical infrastructure entity if they meet one or more of the sector-based criteria.7 According to the NPRM, entities that meet the sector-based criteria are necessarily in a critical infrastructure sector.

Types of Cyber Incidents Covered

The NPRM explains that under CIRCIA, CISA is required to establish a definition for “covered cyber incident” that pertains to cyber incidents that are “substantial.”8 Accordingly, the NPRM proposes to define a covered cyber incident as a “substantial cyber incident experienced by a covered entity” so covered entities would only need to determine if a cyber incident is substantial to know if it has to be reported.9 The NPRM would define a substantial cyber incident as a cyber incident that leads to any of the following results:

  • Substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
  • Serious impact on the safety and resilience of a covered entity’s operational systems and processes;
  • Disruption of a covered entity's ability to engage in business or industrial operations, or delivery goods or services;
  • Unauthorized access to a covered entity’s information system or network or any nonpublic information they contain, that is facilitated through or caused by either a compromise of a cloud service provider or other third-party data hosting provider or supply chain compromise.10

CISA offers guidance on when an incident might meet any of these impact thresholds. It is important to keep in mind that any incident that meets one of these thresholds is reportable regardless of cause, including such causes as: (i) a compromised cloud service provider, managed services provider or other third-party data hosting provider; (ii) a supply chain compromise; (iii) a denial-of-service attack; (iv) a ransomware attack; or (v) a zero-day vulnerability exploitation, among others.11

Exemptions

CISA was already required to exclude two types of incidents from the definition of covered cyber incident: (i) events where the cyber incident was perpetrated in good faith by an entity responding to a specific request by the owner or operator of the information system, and (ii) the threat of disruption as extortion.12 The NPRM would add a third exclusion: any lawfully authorized activity by a U.S. Government or SLTT Government entity including activities undertaken pursuant to a warrant or other judicial process.13

Requirements

The NPRM contains requirements for different types of reporting, including initial and follow-up supplemental reports after a covered cyber incident. As previously stated, CIRCIA establishes that covered cyber incidents must be reported 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred and 24 hours after a ransom payment has been made. In the NPRM, CISA admits that this timing is subjective, and offers guidance on when a “reasonable belief” might be expected to occur, rather than an exact definition.14 As for the timing for ransomware reports, the NPRM states that payment is considered to be made upon disbursement of the payment either by the covered entity or an authorized third-party on the covered entity’s behalf. Subsequent reports are to be submitted after new information absent from the original report becomes available, or in the event the original report needs to be corrected or completed.15 

Information covered entities would provide in reports ranges from items explicitly required by CIRCIA, to new items added by the NPRM, these include:

  1. The Identity of the Covered Entity – including legal names, trade names, state of incorporation, physical address, website, and the critical infrastructure sector the entity is considered to belong to.16
  2. Contact Information – such as phone numbers or email addresses, for the covered entity, their authorized agent or an authorized third party.17
  3. Third Party Authorization – CISA proposes a requirement for third parties that submit reports on behalf of a covered entity to include an attestation that it is expressly authorized by the covered entity to submit the report.18
  4. Description of the Covered Incident – including descriptions of the impacted systems, networks and devices along with their locations and technical specifications. CISA notes that it is also interested in whether there was unauthorized access or any informational impacts or compromises, and may pose follow-up questions for additional details.19
  5. Vulnerabilities, Security Defenses, and TTPs – namely which specific products or technologies had vulnerabilities, what security controls the covered entity had, and which controls failed or were not implemented properly. CISA also proposes requiring information on the tactics, techniques, and procedures (TTPs) used to commit the incident, such as a description of the type of incident and the attack vectors at play, along with a copy or sample of any malicious software the covered entity believes is connected to the incident.20
  6. Information on the Identity of the Perpetrator – any information on the identity of those believed to be responsible for the covered cyber incident. CISA proposes including whether the covered entity believes they can attribute the incident and any evidence supporting that assessment as well as the entity’s level of confidence in that assessment.21
  7. Mitigation/Response – the NPRM would add information on mitigation and response activities the covered entity takes following a covered cyber incident, including the covered entity’s assessment of the effectiveness of those activities. CISA also proposes including whether the covered entity engaged with law enforcement or had assistance from any outside parties.22
  8. Additional Information – the NPRM would add a requirement to include any other data or information as needed. CISA states that the changing nature of cyberthreats may lead to CISA identifying other information necessary to meet its obligations under CIRCIA, so CISA proposes leaving the door open for follow-up requests for information to covered entities after covered cyber incidents.23

There are specific content requirements unique to reports on ransomware payments, such as (i) whether exfiltrated data was returned or decryption provided after payment; and (ii) details of the demand and payment rendered, like the type of currency, the payment instructions, and the amount demanded.24

Enforcement

In the event a covered entity fails to report on a covered cyber incident, CIRCIA provides several different enforcement mechanisms for CISA, including: (i) issuing a request for information (RFI); (ii) issuing a subpoena; (iii) referral to the Attorney General for a civil action; and (iv) mechanisms like suspension, debarment and acquisition penalties. The NPRM notes that when evaluating potential enforcement actions, CISA will take into account the complex nature of determining if covered cyber incidents occurred, along with a covered entity’s prior interactions with CISA.25

Companies should begin evaluating whether they may be considered a covered entity under the NPRM and assess potential changes to their cyber incident response strategy. If you have any questions about this proposed rule or its impact on your company, please contact a member of the Akin cybersecurity, privacy and data protection team.


1 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements, Proposed Rule, 89 Fed. Reg. 23644 (April 4, 2024).

2 Id. at 23648.

3 Id. at 23649.

4 Presidential Policy Directive 21 defines “entities in a critical infrastructure sector” to include the following 16 sectors: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities,  Healthcare and Public Health, Information Technology, Nuclear Reactors Materials and Waste, Transportation Systems, Water and Wastewater Systems.

5 89 Fed. Reg. 23660.

6 Id. at 23767-69.

7 Id. at 23703.

8 Id. at 23660.

9 Id. at 23661.

10 Id.

11 Id. at 23665.

12 6 U.S.C. 681b(c)(2)(C).

13 89 Fed. Reg. 23666. “SLTT” refers to: “state, local, tribal and territorial.”

14 Id. at 23725.

15 Id. at 23726.

16 Id. at 23719.

17 Id.

18 Id. at 23720.

19 Id.

20 Id. at 23721.

21 Id. at 23722.

22 Id.

23 Id.

24 Id. at 23723-24.

25 Id. at 23733.

Share This Insight

Previous Entries

Data Dive

November 19, 2024

The European Union’s AI Office published the inaugural General-Purpose AI Code of Practice on November 14, 2024. The Code is intended to assist providers of AI models in their preparations for compliance with the forthcoming EU AI Act, to be enforced from August 2, 2025. The Code is designed to be both forward-thinking and globally applicable, addressing the areas of transparency, risk evaluation, technical safeguards and governance. While adherence to the Code is not mandatory, it is anticipated to serve as a means of demonstrating compliance with the obligations under the EU AI Act. Following a consultation period that garnered approximately 430 responses, the AI Office will be empowered to apply these rules, with penalties for nonconformity potentially reaching 3% of worldwide turnover or €15 million. Three additional iterations of the Code are anticipated to be produced within the coming five months.

...

Read More

Data Dive

November 15, 2024

On October 29, 2024, the DOJ issued a proposed rule prohibiting and restricting certain transactions that could allow persons from countries of concern, such as China, access to bulk sensitive personal data of U.S. citizens or to U.S. government-related data (regardless of volume).

...

Read More

Data Dive

October 17, 2024

During the course of any lending transaction, lenders will conduct a due diligence review of the borrower, including reviewing any relevant “know-your-customer” information.

...

Read More

Data Dive

September 17, 2024

Following the publication of the European Union’s Artificial Intelligence Act (AI Act or Act) on 12 July 2024, there are now a series of steps that various EU bodies need to take towards implementation. One of the first key steps is in relation to the establishment of codes of practice to “contribute to the proper application” of the AI Act.

...

Read More

Data Dive

August 6, 2024

On July 30, 2024, the Senate passed the Kids Online Safety and Privacy Act (S. 2073) via an overwhelmingly bipartisan vote of 91-3 shortly before departing for the August recess.

...

Read More

Data Dive

July 18, 2024

On 12 July 2024, the European Union Artificial Intelligence Act (AI Act or Act) was published in the Official Journal of the European Union (EU), marking the final step in the AI Act’s legislative journey. Its publication triggers the timeline for the entry into force of the myriad obligations under the AI Act, along with the deadlines we set out below. The requirement to ensure a sufficient level of AI literacy of staff dealing with the operation and use of AI systems will, for example, apply to all providers and deployers on 2 February 2025.

...

Read More

Data Dive

July 18, 2024

On June 18, 2024, the United States Securities and Exchange Commission (SEC) announced a settlement with R.R. Donnelley & Sons Company (RRD) for alleged internal control and disclosure failures following a ransomware attack in 2021. Without admitting or denying the SEC’s findings, the business communications and marketing services provider agreed to pay a civil penalty of over $2.1 million to settle charges alleging violations of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (Exchange Act) and Exchange Act Rule 13a-15(a).1

...

Read More

Data Dive

June 11, 2024

In May, the National Institute of Standards and Technology (NIST) issued updated recommendations for security controls for controlled unclassified information (CUI) that is processed, stored or transmitted by nonfederal organizations using nonfederal systems, (NIST Special Publication 800-171 (SP 800-171), Revision 3). These security requirements are “intended for use by federal agencies in contractual vehicles or other agreements that are established between those agencies and nonfederal organizations.”1 While these new controls are only applicable to nonfederal entities that agree to comply with the new issuance, Revision 3 signals the next phase of expected security for government contractors.

...

Read More

© 2024 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.