A break down of the proposed CIRCIA rule

This week on Off the Shelf, Townsend Bourne, partner at Sheppard Mullin, shares her insights regarding the Cybersecurity and Infrastructure Security Agency’s (CISA’s) proposed rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

Townsend Bourne, partner, Sheppard Mullin

At over 400 pages, the proposed CIRCIA rule is a daunting read. Bourne breaks down the rule identifying the key aspects and corresponding impacts for those covered entities.  She discusses the 16 critical infrastructure sectors covered and the corresponding number of private firms that will be subject to the rule, noting that defense infrastructure sector will now be subject to overlapping reporting requirements (CIRCIA and the DFARS/FAR cyber incident reporting requirements).

Bourne also outlines what “cyber incidents” are to be reported, walking through the key tests for reporting .

Finally, she details the mechanics and key features of the reporting process and contrasts the CIRCIA rule with the proposed FAR cyber incident reporting rule.