On March 15, 2022, US President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as part of a larger appropriations bill. This act represents the most expansive cybersecurity regulations for the private sector in the US to date, requiring critical industry sectors to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
The US passed the act under the shadow of the conflict in Ukraine, with many in the country fearing increasing cyberattacks from spies and criminals alike. Importantly, this act was a decade in the making and aims to shed light on just how many companies fall victim to cyberattacks – something that has been difficult to quantify in the US.
While the act’s incident reporting requirements will not go into effect until CISA introduces certain rules (which could be as long as 42 months), it’s important to understand what’s outlined in the new law. Additionally, covered organizations should pay close attention to CISA’s rulings, as there are several areas of ambiguity in the act that the agency will clarify.
The Essential Role of CISA in Implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022
CISA is a US federal agency under the Department of Homeland Security that was created in 2018 with the mission to enhance the security, resiliency, and reliability of the country’s cybersecurity and communications infrastructure.
The agency plays an essential role in implementing the new cyber incident reporting act, as there are several areas of ambiguity around covered entities that must comply with the law, cyber incidents that require reporting under the law, and the timeline for reporting that CISA is responsible for defining. These definitions will ultimately shape who and what the act covers as well as what’s required in those instances and how the law gets enforced.
Additionally, the act will not be effective until CISA issues a final rule. The agency has 24 months to issue a notice of proposed rulemaking and 18 months from that notice to issue a final rule.
Beyond those rules that will help implement the law, CISA is also responsible for:
- Determining the impact of cyber incidents on public health and safety
- Sharing information about cyber incidents with relevant federal agencies
- Coordinating the sharing of details about cyber incidents between infrastructure owners to help educate others about potential threats
- Investigating significant cyber incidents and sharing strategies to prevent or lessen the damage from similar incidents going forward
Who Must Comply with the Cyber Incident Reporting for Critical Infrastructure Act of 2022
The act applies to the critical infrastructure sector, which is defined in Presidential Policy Directive 21 and includes:
- Commercial facilities
- Critical manufacturing
- Defense industrial base
- Emergency services
- Financial services
- Food and agriculture
- Government facilities
- Healthcare and public health
- Information technology
- Nuclear reactors, materials, and waste
- Transportation systems
- Waste and wastewater systems
Notably, the act does not specify that all of these sectors are subject to compliance. Now, it’s up to CISA to specifically define which of these sectors must comply with the new law based on the consequences of a cyberattack to national and economic security as well as public health and safety. CISA will also need to consider the extent to which any disruptions would impact critical operations within the US. The organizations in sectors that CISA deems subject to the act will be known as “covered entities.”
Need help including privacy regulations in your incident response plan?
Leverage the BreachRx platform to make your plans actionable today!
What Types of Incidents are Covered Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022
The new act requires organizations to report a “substantial cyber incident” and any ransom payments to CISA.
Importantly, the act only partially defines what a substantial cyber incident means. It defines cyber incident as an unauthorized occurrence that actually or imminently jeopardizes the integrity, confidentiality, or availability of information on an information system or the information system itself.
Now, CISA must define what qualifies as a “substantial” cyber incident that’s reportable under the act as part of its implementation rules. The minimum threshold for substantial cyber incidents includes:
- Substantial loss of confidentiality, integrity, or availability of an information system, or a serious impact to its safety and resiliency
- Disruption of operations due to a cyberattack directly targeting the organization’s information or information systems
- Unauthorized access or disruption of operations due to a loss of service from a third party provider, including cloud service provider, managed service provider, data hosting provider, or supply chain partner
Finally, any instance in which a covered entity makes a ransom payment (which can include money or other property or asset) in connection with a ransomware attack also requires a report under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Even if the attack and resulting payment do not meet the definition of a substantial cyber incident, organizations are still required to report the payment to CISA.
What Reporting Measures are Required Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022
Covered entities must report any substantial cyber incidents to CISA within 72 hours of when they “reasonably believe” the event has occurred. The act does not define “reasonably believes” and does not require CISA to define it either. As a result, this may be something that gets determined through the course of actually applying the law.
CISA will, however, have to define specifics around what the reports must contain and if there are any restrictions for the formatting or delivery of the report. At the very least, the act requires an organization’s report to CISA about a substantial cyber incident to include:
- Description of what happened, including what was affected, the type of attack or unauthorized access that occurred, the estimated date range for the event, and the impact to the organization’s operations
- Description of the vulnerabilities exploited, the security defenses in place, and the tactics used to gain access during the attack
- Any identifying or contact information for those reasonably believed to be responsible for the attack
- The categories of information that are reasonably believed to have been subject to unauthorized access or acquisition
- Identification of the impacted entity
- Contact information for the impacted entity or an authorized agent of the entity
Similar requirements apply in the case of ransom payments. Covered entities must issue a report to CISA within 24 hours of making the payment. Pending more definitions from CISA, the report should contain, at a minimum, all of the above points of information as well as:
- The date of the ransom payment
- The ransom payment demand, including the type of currency requested
- The ransom payment instructions, including where to send the payment
- The amount of the ransom payment
If any substantial new or different information arises after the initial report, organizations must continue to alert CISA (even if it means issuing multiple reports) until the incident has concluded and been fully mitigated and resolved. Organizations must also maintain all data related to cyber incidents or ransom payments based on guidance CISA still has to define.
One unique element of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 is that it also offers protections for organizations that issue a report. These protections aim to shield organizations from certain risks of public access and litigation. They include:
- Not using the reports in regulatory actions against the covered entity
- Exempting the reports from disclosure under the Freedom of Information Act
- Considering any reports the commercial, financial, and proprietary information of the covered entity
- Not granting any kind of waiver of privileges, including trade secret protections, as a result of a report
- Not using any reports or records of preparing the report as evidence in hearings or other proceedings
- Anonymizing the organization when CISA leads information-sharing initiatives
Any non-covered entities that want to voluntarily submit a report to CISA following a cyber incident or ransom payment can do so and receive these same protections.
What Types of Incidents Can Trigger a Report Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022
Any covered entity that experiences a substantial cyber incident or makes a ransomware payment must issue a report to CISA. Although the definition of substantial cyber incident is yet to be defined, this may include the following types of events:
Distributed Denial of Service (DDoS) Attack
During a DDoS attack, hackers create an influx of fake traffic to a server, network, or infrastructure to flood it with visitors and halt normal operations. While the DDoS attack itself does not breach any kind of security, it can not only bring down operations for an extended period of time, but it’s often used as a distraction for other types of attacks that do breach security safeguards.
A zero-day attack occurs when hackers exploit an existing vulnerability in software, which may be unknown to the developer or organization that owns it or that is known and has yet to be patched. Zero-day attacks are very difficult to detect, and for as long as they continue hackers can affect networks, data, or programs related to the flawed software.
In a ransomware attack, hackers use malware to steal data and then hold it captive in exchange for a ransom payment. If the victim pays the ransom, the data may or may not be returned. Regardless of the outcome, covered entities must report any ransom payments made to CISA.
How the US Will Enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022
CISA is the first line of defense for enforcement of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, however the agency can not issue any monetary penalties. Rather, the agency has the power to request information from any organizations it suspects to be in noncompliance with the law and issue subpoenas accordingly.
If an organization fails to comply with those orders, CISA can refer the issue to the US Attorney General. At that point, the US Attorney General can enforce the subpoena through civil action, hold the organization in contempt of court, or refer the matter for criminal prosecution.
Take the risk out of your breach response
Automate your incident response today
How Organizations Can Prepare to Comply with the Cyber Incident Reporting for Critical Infrastructure Act of 2022
Although a lot hinges on CISA’s definitions of covered entities and substantial cyber incidents, there are several steps organizations that may be subject to the act can take in the meantime to ensure compliance.
For example, the 72 and 24 hour reporting timelines for substantial cyber incidents and for ransomware payments, respectively, require a quick response, meaning organizations must be prepared to act quickly. Part of this action includes being able to determine if an incident meets the defined threshold for issuing a report. Additionally, because organizations must issue supplemental reports as new information becomes available, teams must be prepared for an ongoing effort. All of this requires organizations to take a proactive stance on preparing response plans, assigning clear responsibility to team members for each part of those plans, and streamlining workflows so they are coordinated and recorded.
Specifically, organizations that may be defined as a covered entity under the act should begin preparing for three critical phases of incident response:
Readiness focuses on proactively preparing incident response plans so that teams can jump into action quickly when an incident occurs. Doing so can help reduce the associated costs and accelerate a return to business as usual.
Key readiness activities include reviewing the requirements outlined in relevant regulations plus any customer and partner contracts, and outlining clear incident response plans to meet those requirements when an incident inevitably occurs.
Response centers around the actions an organization takes when an incident occurs. Under the new US act, a speedy response is important to diagnosing that an incident meets the reporting threshold and being able to issue a report to CISA within the designated time frame. Further, a faster response can help mitigate any loss of trust from customers or the market.
Key response activities include determining what happened, such as whether or not it meets the reporting criteria under regulations, how and when it happened, and potential consequences. It also involves assigning and executing tasks to uphold any regulatory or contractual obligations, including issuing reports based on applicable laws and taking action to resolve the issue where possible.
Ongoing management recognizes that incident response efforts and planning are not set-it-and-forget-it activities. Rather, they require regular attention to stay up to date as regulations change and threats evolve. This type of ongoing management is also important for laws like the new one in the US that require ongoing reports as new information becomes available.
Key ongoing management activities include establishing a dashboard for measuring and monitoring incident response and updates to regulations and contracts, and maintaining stakeholder alignment and awareness by making that dashboard available for everyone to stay up to date on progress towards minimizing regulatory risk.
What’s Unique About the Cyber Incident Reporting for Critical Infrastructure Act of 2022
There are several elements of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 that make it unique. Some of the most notable include:
Incentive for Compliance vs. Penalty for Noncompliance
Most global data privacy laws enforce compliance by issuing penalties for organizations that fail to comply. The new US act turns that on its head and instead creates an incentive for compliance. It does so by focusing on support and protection from CISA. Specifically, it plans to have CISA aggregate cyber attack information and use that to help organizations better protect themselves against similar threats.
As Senator Gary Peters of Michigan told The Wall Street Journal: “[Organizations are] going to want to comply because CISA is there providing robust support for [them]. The only way the industry can protect itself is that people have to have situational awareness.”
This sentiment is supported by the fact that organizations that issue a report will receive certain protections, even if they are a non-covered entity that submits a report voluntarily.
Notably, CISA has already taken on this type of support work without the act being in place, having successfully helped coordinate responses to a flaw in a commonly used software.
Areas of Support for Introducing the Act
In a rare occurrence, the bill for the act received unanimous support from Congress. Where it did receive pushback was from US law enforcement, specifically the Justice Department and FBI.
These federal law enforcement agencies argued that they would be kept out of the loop on cyber attacks, which would ultimately make it challenging for them to do their jobs effectively.
In response, the Director of CISA openly pledged to immediately share new incident reports with the FBI to continue a partnership that helps promote safety.
Focus on Critical Industries, Lack of Emphasis on Personal Data Impact
Finally, the act focuses specifically on critical industries that impact the infrastructure of the US, whereas most other global data privacy laws are much more sweeping and apply to nearly all types of organizations. Additionally, the act lacks an emphasis on the impact of cyber attacks on personal data, which is present in most other data privacy laws around the world.
These different focus areas are not necessarily surprising given recent events that contributed to the US passing the new act. A 2020 attack on federal agencies through a SolarWinds software update and a 2021 attack on Colonial Pipeline that led to fuel shortages across the country are two such examples.
Prioritizing Proactive Incident Management
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 may have some time before it goes into effect as CISA works to further define it, but one thing is clear: it will require proactive incident management to uncover attacks, diagnose what’s happening, and meet the reporting timelines. And that proactive response is something every organization should start working toward sooner rather than later.
Achieving the goal of proactive incident response requires organizations to keep tabs on new regulations and changes to existing ones, introduce clear response plans to meet the requirements in those regulations, assign responsibility for each step in the response plans, and continue to update those efforts as the regulatory environment evolves. Automation helps not only accelerate, but also coordinate and streamline this process.
Importantly, not only can these proactive planning activities help organizations maintain compliance with regulations, but also they can help return more rapidly to business as usual and better maintain customer trust following any incidents.