CIRCIA delegates broad rulemaking authority to CISA, which is tasked with promulgating regulations to further define critical applicability and reporting requirements under the law. Under CIRCIA, CISA must publish a Notice of Proposed Rulemaking by March 2024 and final rules within 18 months of the proposed rules, or no later than September 2025. Entities that fall within a critical infrastructure sector may wish to consider submitting comments now to help appropriately define the scope of applicability and corresponding reporting obligations. The RFI is open for comments through November 14, 2022. CISA will also hold a series of “public listening sessions” for stakeholders to provide feedback on the upcoming regulations, with over ten such sessions already announced across the United States spanning September through November 2022.
CISA is welcoming public comment on any topic related to the upcoming rulemaking, and also has identified a list of 32 non-exhaustive topics of interest to CISA including definitions and interpretations of terminology, estimates of likely number of reports to be expected, as well as reporting triggers and requirements under the law.
Key topics open for comment include:
What is a covered entity?
One of the most critical definitions left to CISA rulemaking is the definition of a “covered entity” required to comply with CIRCIA’s requirements. CIRCIA defines a “covered entity” as an entity that falls within one of the 16 critical infrastructure sectors identified in Presidential Policy Directive 21 (PPD-21), and as further defined by regulations promulgated by CISA.
When submitting comments, entities may wish to consider the three factors defined within CIRCIA to guide CISA’s rulemaking on the scope of “covered entities” for reporting purposes: (1) the consequences that a disruption to or compromise to the entity could cause to national security, economic security, or public health and safety; (2) the likelihood that the entity may be targeted by a malicious cyber actor; and (3) the extent to which damage, disruption, or unauthorized access to the entity would likely enable the disruption of the reliable operation of critical infrastructure.
What is a reportable incident?
CIRCIA requires covered entities to report a “covered cyber incident” to CISA within 72 hours, and CISA is seeking further input on the definition of the terms used to define incidents. A “cyber incident” is currently defined under the law as an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system. But not all such incidents will be reportable, as under CIRCIA only “substantial cyber incidents” may constitute “covered cyber incidents” subject to reporting obligations—and CISA also seeks input on what constitutes a ‘substantial’ incident.
Entities may wish to comment on these incident definitions to help CISA better align the definition with existing cyber incident reporting requirements and industry practice around incident tracking and reporting. Notably, CISA’s RFI specifically requests input on similarities and differences from other federal incident reporting triggers (and entities may wish to highlight relevant state and international reporting thresholds as well). Entities are well advised to think through how their existing incident response processes would define and rate incidents—to better understand what the CISA reporting requirements would mean for such processes and where changes may be required—as this may influence how entities provide insights to CISA in advance of these incident definitions being finalized.
What is a ransomware attack and a ransom payment?
CIRCIA requires covered entities to report a ransom payment to CISA within 24 hours. A “ransom payment” is defined under CIRCIA as the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack. A “ransomware attack” is defined as an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment.
Entities may wish to comment on the definitions of “ransom payment” and “ransomware attack” to help guide the final reporting requirement.
What should trigger reporting requirements?
CISA has requested detailed information regarding reporting requirements under CIRCIA, including when the 72-hour timeline for reporting cyber incidents and 24-hour timeline for reporting ransom payments should begin. CISA expressly requests comments on what should constitute a “reasonable belief” that a covered cyber incident has occurred, such as to trigger the 72-hour reporting timeline; this is likely to be a key question for legal advisors supporting entities in meeting the final regulations.
Format, manner, and content of reports.
Entities are encouraged to comment on the format, manner, and content of required reports for covered cyber incidents and ransom payments.
In addition to initial cyber incident reports made within the 72-hour timeline, CISA has requested comments on the process, format, manner, and content of supplemental reports. Notably, CISA has solicited feedback on what constitutes “substantial new or different information” such that a supplemental report would be required, as well as feedback on criteria by which a covered entity may determine that a “covered cyber incident at issue has concluded and has been fully mitigated and resolved.”
Harmonization with existing regulations.
CISA further solicits feedback on how it can best harmonize reporting requirements under CIRCIA with reporting obligations under existing laws and regulations. Entities are encouraged to comment on the similarities, differences, and potential conflicts between CIRCIA’s requirements and requirements under existing laws and regulations.
Additional topics for comment.
In addition to the key areas for comment discussed above, CISA further solicits comments around how third party entities should be permitted to make reports on behalf of covered entities and how a third party can meet responsibilities to advise an impacted covered entity of its ransom payment reporting obligations. CISA further solicits comments on policies, procedures, and requirements related to enforcement of CIRCIA requirements, requests for information, protection of reporting entities, and information preservation and retention requirements, as well as any other policies, procedures, or requirements that would benefit covered entities.
Although not expressly discussed in the RFI, one open issue that may increase litigation risk for covered entities is whether reports submitted to CISA will be made public.
Conclusion
CISA is soliciting input over the course of fall 2022, with written comments to the RFI due by November 14, 2022. Entities operating in critical infrastructure may wish to monitor industry input by joining listening sessions, discuss potential implications with trusted advisors and industry groups, and consider providing comments to key issues facing them with the upcoming rulemaking now, before CISA begins to calcify its position on scope of applicability and reporting requirements under CIRCIA as part of its forthcoming rulemaking process.
Authored by Jasmeet Ahuja, Scott Loughlin, Pete Marta, Dan Ongaro, Paul Otto, Allison Holt Ryan, and Alaa Salaheldin.
