U.S. Cyber Incident Reporting for
Critical Infrastructure Act of 2022

How to prepare your organization for compliance with the
Cyber Incident Reporting for Critical Infrastructure Act of 2022

The U.S. Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires critical industry sectors to report incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. These  requirements will go into effect when CISA introduces certain rules (which could be up to 42 months) – read on to understand how you can prepare.

Automate United States regulatory and contractual obligations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the legal crisis out of your incident response

The Role of CISA in Defining Incident Response Guidelines

Short-Term Responsibilities

CISA is a US federal agency under the Department of Homeland Security that’s responsible for defining who and what the act covers and how it gets enforced. The agency has 24 months to issue a notice of proposed rulemaking and 18 months from that notice to issue a final rule. The act will not be effective until that time.

Long-Term Responsibilities

  • Determining the impact of cyber incidents on public health and safety
  • Sharing information about cyber incidents with federal agencies
  • Sharing details about cyber incidents to educate about threats
  • Investigating cyber incidents and sharing strategies to reduce damage

Enforcement Responsibilities

CISA leads enforcement by requesting information and issuing subpoenas. If an organization fails to comply with orders, CISA can refer it to the US Attorney General, who can enforce the subpoena through civil action, hold the organization in contempt of court, or refer the matter for criminal prosecution.

Who Must Comply with the Cyber Incident Reporting for
Critical Infrastructure Act of 2022

The act applies to the critical infrastructure sector, made up of 16 sectors as broadly defined in Presidential Policy Directive 21. It’s now up to CISA to specify which of these sectors must comply with the new law based on how a cyberattack on an organization within each sector would impact: 

  1. National and economic security 
  2. Public health and safety
  3. Critical operations within the US

Types of Incidents Covered Under the Cyber Incident Reporting for
Critical Infrastructure Act of 2022

The act requires organizations to report a “substantial cyber incident” and all ransom payments to CISA.

What is a cyber incident?An unauthorized occurrence that actually or imminently jeopardizes the integrity, confidentiality, or availability of information on an information system or the information system itself.
What still needs to be defined?What qualifies as a “substantial” cyber incident that’s reportable under the act based on a minimum threshold.
What is the minimum threshold for substantial cyber incidents?
  • Substantial loss of confidentiality, integrity, or availability of an information system, or a serious impact to its safety and resiliency
  • Disruption of operations due to a cyberattack directly targeting the organization’s information or information systems
  • Unauthorized access or disruption of operations due to a loss of service from a third party provider

Reporting Measures Required Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022

The act has two sets of reporting requirements: one for substantial cyber incidents and one for ransom payments. In both cases, organizations must:

  • Alert CISA through reports of any substantially new or different information until the incident is fully mitigated and resolved
  • Maintain all data related to the incident based on guidance CISA will define.

Reporting Requirements for Substantial Cyber Incidents

When: Covered entities must issue a report to CISA within 72 hours of when they “reasonably believe” the incident has occurred. The act does not define “reasonably believe” nor does it require CISA to define it.

How: CISA will define any restrictions for the formatting or delivery of the report. 

What: CISA will define specifics for what reports must contain. At a minimum, they will require:

  • Description of what happened (what was affected, type of attack, estimated date range, and operational impact)
  • Description of the vulnerabilities exploited, security defenses in place, and tactics used to gain access during the attack
  • Identification of, or contact information for, those reasonably believed to be responsible
  • Categories of information reasonably believed to have been subject to unauthorized access or acquisition
  • Identification of the impacted entity
  • Contact information for the impacted entity or an authorized agent of the entity

Reporting Requirements for Ransom Payments

When: Covered entities must issue a report to CISA within 24 hours of making the payment.

How: CISA will define any restrictions for the formatting or delivery of the report. 

What: CISA will define specifics for what reports must contain. At a minimum, the act requires all of the above points of information as well as:

  • The date of the ransom payment
  • The ransom payment demand, including the type of currency requested
  • The ransom payment instructions, including where to send the payment
  • The amount of the ransom payment

Reporting Protections

The act offers several protections for organizations that issue a report, which extend to any non-covered entities that voluntarily submit a report. These protections include:

  • Not using the reports in regulatory actions against the covered entity
  • Exempting the reports from disclosure under the Freedom of Information Act
  • Considering any reports the commercial, financial, and proprietary information of the organization
  • Not granting any kind of waiver of privileges, including trade secret protections, as a result of a report
  • Not using any reports or records of preparing the report as evidence in hearings or other proceedings
  • Anonymizing the organization when CISA leads information-sharing initiatives

Types of Incidents That Can Trigger a Report Under the
Cyber Incident Reporting for Critical Infrastructure Act of 2022

Any covered entity that experiences a substantial cyber incident or makes a ransomware payment must issue a report to CISA. This may include the following types of events:

tri-alert

Distributed Denial of Service (DDoS) Attack

An attack in which hackers create an influx of fake traffic to a server, network, or infrastructure to halt normal operations. The DDoS attack does not breach security, but it’s often used as a decoy for other types of attacks that do breach security.

Nation-state Attack

Zero-Day Attack

In a zero-day attack, hackers exploit a previously unknown vulnerability in software. These attacks are very difficult to detect, and for as long as they continue hackers can have an impact on networks, data, or programs related to the flawed software.

ransomware

Ransomware Attack

An attack in which hackers use malware to steal data and hold it captive in exchange for a payment. If the victim pays the ransom, the data may or may not be returned. All payments must be reported to CISA, regardless of outcome.

How Organizations Can Prepare to Comply with the Cyber Incident Reporting for Critical Infrastructure Act of 2022

Organizations must take a proactive stance on preparing response plans, assigning clear responsibility to team members for each part of those plans, and streamlining workflows to meet the act’s fast reporting timelines and ongoing requirements for sharing information. Specifically, organizations should prepare for three critical phases of incident response:

Readiness

Proactively preparing response plans so that teams can jump into action quickly to reduce the associated costs and accelerate a return to business as usual. Key activities include: 

  • Reviewing the requirements outlined in regulations and contracts
  • Outlining clear incident response plans to meet those requirements

Response

Taking action when an incident occurs to meet short reporting timelines and mitigate any loss of trust from customers or the market. Key activities include: 

  • Determining what happened (if it meets reporting criteria, how and when it happened, and potential consequences) 
  • Assigning and executing tasks to uphold obligations like issuing reports
  • Taking action to resolve the issue where possible

Ongoing Management

Leading long term efforts to keep response plans up to date as regulations change and threats evolve. Key activities include: 

  • Establishing a dashboard for measuring and monitoring incident response and updates to regulations and contracts
  • Maintaining stakeholder alignment and awareness on responsibilities and progress

Why Proactive Incident Response Is Needed Now

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 will require proactive incident management to uncover attacks, diagnose what happened, and meet reporting timelines.

Organizations must track changes and definitions to regulations, outline clear response plans, assign responsibility for each step in those plans, and continue to update efforts as regulations evolve. Automation can help accelerate, coordinate, and streamline this process to ensure compliance and help return to business as usual faster.

Minimize your regulatory and contractual risk surface with the BreachRx platform

Stop using spreadsheets and documents to keep track of the legal tasks you need to accomplish during an incident response.