Draft Rules Published for Cyber Incident Reporting Requirements

On March 27, the US Cybersecurity and Infrastructure Security Agency (CISA) published draft rules detailing requirements for critical infrastructure companies to report cyber incidents to the government. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) required CISA to develop these rules.

As currently written, the rules will require covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred. CIRCIA also requires covered entities to report any ransomware payments to CISA within 24 hours.

A covered cyber incident is one that can “lead to substantial harm or pose a significant threat to the organization’s ability to function or to national security, public health, or safety.”

Covered entities that need to follow the cyber incident reporting requirements include organizations that operate within these sixteen critical infrastructure sectors:

  • Chemical         
  • Dams
  • Commercial Facilities 
  • Emergency Services
  • Communications          
  • Energy
  • Critical Manufacturing
  • Government Facilities
  • Financial Services        
  • Information Technology
  • Defense Industrial Bases          
  • Nuclear Reactors, Materials, & Waste
  • Food & Agriculture       
  • Transportation Systems
  • Healthcare & Public Health     
  • Water & Wastewater System

“Cyber incident reports submitted to us through CIRCIA will enable us to better protect our nation’s critical infrastructure,” said Secretary of Homeland Security Alejandro N. Mayorkas.  “CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents, and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors. The proposed rule is the result of collaboration with public and private stakeholders, and DHS welcomes feedback during the public comment period on the direction and substance of the final rule.”

“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” said CISA Director Jen Easterly. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”

The Notice of Proposed Rulemaking (NPRM) formally published the draft rules in the Federal Register on April 4th. The public comment period is open until June 3rd, 2024.

CompliancePoint has a team of experienced cybersecurity experts who can help your organization implement a security program to better defend against attacks. We can also help organizations achieve compliance with a variety of frameworks including CMMC, FedRAMP, and NIST. Contact us at connect@compliancepoint.com to learn more about our services.

Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.