CISA’s Very Broad Proposed Rule for “Critical Infrastructure” Entities to Report Cyber Incidents

Next year, a lot more companies, including many that have not considered themselves to be critical infrastructure, may be required to report cyber incidents to the U.S. government.

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a long-awaited Notice of Proposed Rulemaking (NPRM or “proposed rule”) to implement the March 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Notably, the NPRM broadly defines the types of entities to which these reporting obligations apply and includes any cyber incident that disrupts business or causes a substantial loss of confidentiality. If a report is required, the rule imposes detailed requirements about the information that must be shared with CISA, and the types of data and information that must be preserved.

The public has until July 3, 2024, to comment on the proposed rule; CISA will issue a final rule within 18 months.

Backdrop

When President Biden signed it into law in March 2022, CIRCIA broke new ground by requiring critical infrastructure entities to report cyber incidents and ransom payments in a relatively short time period to CISA, which emerged in 2018 as the government’s lead agency for non-military cybersecurity issues.

CIRCIA requires covered critical infrastructure entities to report to CISA within 72 hours after reasonably believing that a covered cyber incident has occurred. It also requires reporting of ransom payments made in response to a ransomware attack within 24 hours after the ransom payment has been made. However, CIRCIA did not define what qualifies as a “covered entity” and a “covered cyber incident,” but rather directed CISA to issue rules both defining those terms and providing details about the information that must be reported and preserved.

In the 447-page NPRM, CISA filled in the blanks in perhaps the broadest way possible. Its definition of covered entities includes almost every aspect of the United States’ critical infrastructure. The NPRM also introduced a new—and broad—definition for what qualifies as a “substantial cyber event” that triggers the 72-hour reporting requirement.

I. The Definition for a Covered Entity is Incredibly Broad

Under CIRCIA, Congress defined a “covered entity” as “an entity in a critical infrastructure sector, as defined by Presidential Policy Directive 21 (PPD-21),[1] that satisfies the definition established by the [CISA] Director in the final rule.”[2] Although Congress directed CISA to provide “a clear description of the types of entities that constitute covered entities”[3] the NPRM provides little clarity. Rather, the proposed rule essentially applies to all critical infrastructure entities, unless a narrow exception applies. 

Under the proposed rule, an entity will be considered a covered entity so long as it falls within one of the 16 critical infrastructure sectors, as defined by Sector-Specific Plans developed pursuant to PPD-21 in 2015-2016, and it is not a small business. However, a critical infrastructure entity that is a small business will nonetheless be covered by the rule if it meets any of the broadly defined sector-based criterion listed in the rule.  

Companies should review the plans and determine if they are covered because many companies that do not consider themselves to be part of critical infrastructure, such as the hospitality industry, retailers, and IT companies, are captured by those plans.

II. A “Substantial Cyber Event” does not Depend on the Type of Data or System

CIRCIA requires covered entities to report a “covered cyber incident,” which it defines as “a substantial cyber incident,” to CISA within 72 hours. Under the NPRM, CISA broadly defines a cyber incident to be “substantial” if any of the following four “impacts” are met:

1. A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network (e.g., persistent access to information systems by an unauthorized third party);
2. A serious impact on the safety and resiliency of a covered entity’s operational systems and processes (e.g., a cyber incident that disrupts the ability of a communication service provider to deliver emergency alerts);
3. A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services (e.g., the exploitation of a zero-day vulnerability that results in “extended downtime” for a covered entity’s information system or network); or
4. Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise (e.g., the exfiltration of sensitive data in an unauthorized manner for an unauthorized purpose, such as through compromise of identity infrastructure or unauthorized downloading to a flash drive).

Under this definition, CISA estimates that there could be at least 210,000 reports filed by 2033. We assess that, under the rules as proposed, the number of reports is likely to be far greater.

III. Reporting and Preservation Requirements are Very Detailed

The NPRM requires covered entities that experience a covered cyber incident to submit a report within 72 hours after “reasonably believe[ing]” that the incident occurred. The proposed rule recognizes that, in many cases, an entity may need to perform some “preliminary analysis” before reaching a reasonable belief that a covered cyber incident has occurred; however, the proposed rule indicates CISA’s view that this preliminary analysis “should be relatively short in duration (i.e., hours, not days) before a ‘reasonable belief’ can be obtained, and generally would occur at the subject matter expert level and not the executive officer level.” The NPRM also requires covered entities to report to CISA any ransom payment within 24 hours of making the payment.

The NPRM contemplates requiring covered entities to submit detailed incident reports on a web-based portal, which can be submitted by a third party. These reports would include:

• A narrative description of the incident including the impacted information systems, a timeline of the incident, and operational impact;
• A description of any vulnerabilities, as well as the covered entity’s security controls;
• The tactics, techniques, and procedures used by the perpetrator and any associated indicators of compromise; and
• Whether law enforcement was engaged and the identities of, and requested assistance from, any third parties.

For ransom payment reports, CISA requires similar reports and additional details regarding the ransom demand amount, the date of the ransom payment, the amount paid, and any outcomes associated with the ransom payment (e.g., returned data or receiving a decryption key).

The NPRM also establishes that, after submitting a report, covered entities are expected to preserve certain types of data and information for no less than two years. Under the proposed rule, a covered entity must preserve data and records relating to the cyber incident and any ransom payment. Examples of such records include: logs, forensic artifacts, network data, communications with the threat actor, system information (e.g., operating system, patch levels, and configuration settings), and details about any exfiltrated data.

Enforcement

If the agency has reason to believe that the covered entity experienced a covered cyber incident or made a ransom payment but failed to make a required report, CIRCIA authorizes the Director of CISA to issue a request for information (RFI) to the covered entity. If an entity fails to respond to an RFI adequately within 72 hours, the Director may issue a subpoena to compel the disclosure of the requested information. The proposed rule also provides that CISA may refer the matter to a regulatory agency for an enforcement action or to the Department of Justice for civil enforcement or criminal prosecution.

IV. Outlook

The NPRM makes clear that CISA intends to make broad use of the authorities that Congress provided through CIRCIA. CISA has widened the meaning of critical infrastructure, potentially meaning hundreds of thousands of private sector companies would have reporting requirements under the statute. Further, because the agency broadly defined the type of cyber incidents that will trigger these reporting obligations, covered entities may be reporting sooner rather than later. Finally, because the proposed rule also requires detailed reporting and preservation requirements for entities that experience a cyber incident or make a ransom payment, companies should ensure that they have policies and procedures in place to comply with these obligations.

We will continue to analyze the potential impacts of the NPRM; however, here are a few key takeaways for impacted entities.

1. Comment now: The public may comment on CISA’s NPRM until July 3, 2024.
2. Determine whether the rules apply to you: The initial question is whether your company qualifies as part of the United States’ critical infrastructure, and then determine whether any reporting exception applies. 
3. Hone your Incident Response Plan (IRP): As CISA outlines, covered entities are expected to conduct a preliminary analysis of an incident in “hours, not days.” The IRP should be a well-practiced document for IT, information security, and legal teams, and a well-understood document by executive management.
4. Think through the preservation requirements: The NPRM’s preservation requirements are new and severe. Companies should be able to quickly retrieve logs and forensic artifacts – and have a plan and budget to store them for more than two years.
5. Conduct a tabletop exercise: Whether or not you’ve experienced a cyber incident, conduct a tabletop exercise in the next 18 months to pressure-test the company’s response against CISA’s new requirements.  

[1] PPD-21, issued by President Obama in 2013, identifies 16 critical infrastructure sectors.

[2] 6 U.S.C. § 681(4). 

[3] 6 U.S.C. § 681b(c)(1).