CISA’s cyber incident reporting rules will apply to 316K entities

The Cybersecurity and Infrastructure Security Agency expects to receive tens of thousands of reports on hacks, ransomware attacks and other cyber incident data within the first year of new reporting regulations becoming effective.

CISA released a 447-page notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) today. The proposed rules will officially publish in the Federal Register on April 4. Comments on the proposal will be due by June 3.

The rules lay out how organizations across critical infrastructure sectors will be required to report cyber incidents to CISA.

“These reports will allow us to rapidly deploy resources and render assistance to victims suffering attack, analyzing incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims,” a senior CISA official said on a call with reporters today.

Organizations covered by the rule likely won’t have to start reporting cyber incidents to CISA until early 2026. That’s because after comments on the proposed rule close, CISA has 18 months to finalize the regulations. Congress will then have 60 days to review the rules before they become effective.

CISA spent the last two years developing the proposed rule after Congress passed the incident reporting law in March 2022. They are among the most sweeping cybersecurity requirements ever passed into law.

“We at the department recognize that this piece of policy will be a defining piece of our cyber toolkit that we use,” a senior Department of Homeland Security official said on the call with reporters.

The proposed regulations come as CISA seeks $116 million in fiscal 2025 to beef up its staff and technology to manage the influx of cyber incident reports.

The incident reporting law broadly requires critical infrastructure organizations to report ransomware payments to CISA within 24 hours and “covered cyber incidents” to the agency within 72 hours.

CISA had been urged by some organizations to define the incident reporting rules narrowly to avoid over-reporting. But perhaps in preparation to anticipated pushback on the sweeping regulations, the agency argued it needs to make sure it gets enough data to carry out the intent of the law.

“If CISA designs the proposed regulations in a way that overly limits the quantity and variety of reports it receives from across critical infrastructure sectors, CISA will lack sufficient information to support reliable trend analysis, vulnerability identification, provision of early warnings, and other key purposes of the proposed regulation as indicated by CIRCIA,” CISA writes in the proposal.

316K organizations required to report?

While the law more narrowly defines “covered cyber incident,” it gives more discretion to CISA to define what “covered entities” must report incidents.

The agency estimates approximately 316,000 organizations will be required to report cyber incidents under its rules.

CISA is proposing that a “covered entity” includes any within a critical infrastructure sector that exceeds small business size standards. At the same time, the rules require reporting from entities, regardless of size, that fall into proposed “sector-based criteria” outlined by CISA.

For example, CISA’s proposed rule includes multiple sector-specific criteria for the IT industry, including a requirement to report by any entity that provides IT hardware, software, systems or services to the federal government.

The rulemaking lays out similar sector-specific criteria across the other elements of critical infrastructure, ranging from energy to healthcare to the defense industrial base.

Ultimately, the agency wrote that its definitions are “designed to focus the reporting requirements primarily on entities that own or operate systems or assets considered critical infrastructure” under the definitions of a 2013 presidential policy directive that lays out the 16 critical infrastructure sectors in the United States.

At the same time, the regulations are tailored to require reporting “from a small subset of entities that might not own or operate critical infrastructure but that could impact critical infrastructure to help ensure CISA receives an adequate number of reports overall, including reports of substantial cyber incidents from entities that are most likely to own or operate critical infrastructure,” the agency writes in the rule.

Meanwhile, the incident reporting regulations exclude federal agencies. They’re already required to report cyber incidents to CISA on a shorter time frame than 72 hours.

What cyber incidents need to be reported?

CISA’s proposed requirements around what constitutes a “covered cyber incident” are similarly complex and detailed. The agency’s rules center around triggering reporting for incidents that result in at least one of four scenarios:

• “Substantial Loss of Confidentiality, Integrity, or Availability”
• “Serious Impact on Safety and Resiliency of Operational Systems and Processes”
• “Disruption of Ability to Engage in Business or Industrial Operations”
• “Unauthorized Access Facilitated Through or Caused by a: (1) Compromise of a [Cloud Service Provider], Managed Service Provider, or Other Third-Party Data Hosting Provider, or (2) Supply Chain Compromise”

The agency sought to create a “sufficiently high threshold to prevent overreporting by making it clear that routine or minor cyber incidents do not need to be reported,” CISA writes in the proposed rules.

In the first year of the rules becoming effective in 2026, CISA estimates it will receive approximately, 25,500 reports, including 15,812 “covered cyber incident reports,” 1,754 “ransom payment reports,” 35 “joint covered cyber incident and ransom payment reports,” and 7,906 “supplemental reports.”

How will reporting work?

CISA plans to set up a web-based form through which organizations can report cyber incidents. A senior CISA official said that web form will be released at the same time as the final rule.

Many groups have highlighted the need for a simple reporting mechanism. 

While other entities like the Securities and Exchange Commission require companies to report business impacts that result from a cyber incident, the CISA official said the cyber agency is much more interested in the more technical details of an incident.

“We’re asking for things like the [indicators of compromise], is the specifics on the vulnerabilities that may have been compromised, the impact on their systems operations,” the CISA official said.

So we’re necessarily asking for more specific information because that is how we will use it to enable broader cyber defense across the across the ecosystem.”

The law also gives CISA the power to issue a subpoena to any organization that doesn’t comply with the rules. CISA’s director can also refer the entity to the Attorney General to bring a civil action against any noncomplying organizations.

“The Director will take into account the covered entity’s engagement and cooperation with CISA when determining whether to provide information to the Attorney General or head of a regulatory agency for criminal prosecution or regulatory enforcement, respectively, or to pursue civil enforcement,” the proposed rules state.

The rulemaking also proposes bringing suspension and debarment, as well as the False Claims Act, into play to help back up the incident reporting law’s enforcement provisions.

Harmonization

Meanwhile,  federal agencies already have numerous cyber incident reporting requirements in place. Members of Congress, on both sides of the aisle, have broadly supported CISA’s efforts, while also emphasizing the need to reduce any overly burdensome requirements.

“As we in Congress review and weigh-in on the NPRM, our goal will be to ensure that CISA will have access to the information necessary to disrupt malicious cyber campaigns earlier and identify new tactics of bad actors so the government and the private sector can drive down risk,” Reps. Bennie Thompson (D-Miss.) and Yvette Clarke (D-New York) said in a joint statement today.

“At the same time, we want to reduce compliance costs so more resources can be invested in security,” they continued. “Toward that end, now that the NPRM is out, we hope the Cyber Incident Reporting Council will redouble its efforts to promote harmonization of duplicative cyber incident reporting frameworks across government.”

DHS’ Cyber Incident Reporting Council, in a report released least fall, advocated for agencies adopting standard definitions and a common form across various incident reporting regimes.

And in the proposed rules today, CISA says it plans on working with other federal departments and agencies “to explore opportunities to reduce duplicative reporting of covered cyber incidents through a proposed substantially similar reporting exception to CIRCIA.”

Under the proposed exception, any organization that is required to report an “substantially similar” information on a “substantially similar timeframe” to another federal entity would be excepted from reporting it again under CIRCIA, according to the proposed rules.

“To the extent practicable, CISA is committed to working in good faith with its federal partners to have CIRCIA agreements finalized before the effective date of the final rule,” the proposed rules state.

The senior CISA official, in the call with reporters, acknowledged how much of CIRCIA’s success hinges on how information about cyber incidents is shared across federal agencies and beyond.

“We are making enhancements to our ability to receive reports and more importantly, under the terms of CIRCIA, setting up the connections so that we can immediately share the reports with our interagency partners as required under the statute,” the official said.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.