CISA Proposes Rules for Critical Infrastructure Cyber Incident Reporting

On April 4, 2024, the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) Notice of Proposed Rulemaking (“Proposed Rule”) related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was published in the Federal Register. The Proposed Rule outlines draft regulations to implement the two cyber incident reporting requirements under CIRCIA: a 24-hour requirement to report ransom payments and a 72-hour requirement to report covered cyber incidents to CISA. The Proposed Rule also addresses CIRCIA’s requirement to report substantially new or different information related to a previously submitted report. While the Proposed Rule is subject to a comment period that ends on July 3, 2024, and further rulemaking before the Final Rule is issued in the fall of 2025, it nonetheless represents what will likely be the most sweeping cybersecurity notification requirement in the United States to date, affecting nearly all sectors and major industries.

Provided below is a detailed summary of the Proposed Rule followed by a list of key issues for entities that are within the scope of the Proposed Rule’s reporting requirements to consider going forward.

Key Definitions

“Covered Entity”

The proposed definition of a Covered Entity, which is addressed in detail on Covington’s InsidePrivacy Blog, essentially covers any entity within one of the 16 critical infrastructure sectors that either (i) exceeds the relevant small business size standard under the U.S. Small Business Administration’s (“SBA”) small business size regulations or (ii) meets certain enumerated “sector-based criteria.” A discussion of the SBA regulations and the full list of sector-based criteria, which generally pertain to certain functions or services performed by an entity, are summarized in the blog.

Accordingly, any entity that operates within a critical infrastructure sector and does not qualify as a small business would be a Covered Entity under the Proposed Rule’s definition, whether or not it performs any functions or services covered under the sector-based criteria. Conversely, any entity that operates within a critical infrastructure sector and is covered by one or more sector-based criteria would be a Covered Entity whether or not it qualifies as a small business. The broad scope of the definition is magnified by the Proposed Rule’s application to an entire entity (e.g., corporation, organization) even if only a constituent part of the entity performs a critical infrastructure function, as discussed in the commentary regarding the sector-based criteria in the Proposed Rule.

The threshold requirement that an entity be within one of the 16 critical infrastructure sectors is not defined in the text of the proposed regulation. Rather, the Proposed Rule’s commentary indicates that entities should (1) look to the Sector-Specific Plans (“SSPs”), (2) consider whether they are a member of the Sector Coordinating Councils, which correspond to each critical infrastructure sector, or (3) leverage forthcoming guidance from CISA. Importantly, CISA’s commentary on the Proposed Rule contemplates that it would not only apply to owners and operators of critical infrastructure assets in each sector, but also to a “small subset” of entities covered in the SSPs that are “active participants” in critical infrastructure sectors that impact the security of critical infrastructure.

“Covered Cyber Incidents”

The Proposed Rule sets forth with greater specificity what types of incidents would constitute Covered Cyber Incidents that must be reported to CISA within 72 hours. A Covered Cyber Incident is (1) a Cyber Incident, (2) experienced by a Covered Entity, (3) that meets one or more of four impact-based criteria for a Substantial Cyber Incident. A “Cyber Incident” is defined in the Proposed Rule as an occurrence that “actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an Information System, or actually jeopardizes, without lawful authority, an Information System.” Notably, the definition only covers incidents with actual, not potential, impact. However, Information System is defined broadly in the Proposed Rule to include “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information,” which includes operational technology (“OT”) systems (e.g., industrial control systems (“ICS”), supervisory control and data acquisition (“SCADA”) systems, distributed control systems (“DCS”), and programmable logic controllers (“PLC”)).

A Substantial Cyber Incident is defined as a Cyber Incident that meets any of the following impact-based criteria:

• Substantial Loss of Confidentiality, Integrity, or Availability. The first criterion is a “substantial” loss of confidentiality, integrity, or availability (“CIA”) of an Information System (including OT) or a network. The Proposed Rule’s commentary notes that whether loss is “substantial” will depend on a variety of factors, including the type, volume, impact, and duration of the loss, such as an attack that cuts off services for an extended period or persistent access to an Information System by a threat actor.
• Serious Impact on Safety and Resilience. The second criterion is a “serious” impact on the safety and resiliency of operational systems and processes. The Proposed Rule’s commentary cites to NIST definitions of safety and operational resilience, and notes that “serious” will also depend on a variety of factors, such as the safety hazards posed by an incident.
• Significant Operational Disruption. The third criterion is a disruption of the ability to engage in business or industrial operations, or deliver goods or services, due to: (1) an attack (including, but not limited to a denial-of-service attack, ransomware attack, or exploitation of a zero-day vulnerability) against (i) an Information System or network or (ii) an OT system or process; or (2) a loss of service facilitated through, or caused by, a compromise of a cloud service provider (“CSP”), managed service provider (“MSP”), other third-party data hosting provider, or by a Supply Chain Compromise. The Proposed Rule’s commentary notes that the disruption must be significant, akin to the “substantial” and “serious” qualifiers discussed above.
• Significant Third-Party Compromise. The last criterion is unauthorized access to an Information System or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a CSP, MSP, other third-party data hosting provider, or a Supply Chain Compromise. While similar to the loss of CIA, this criterion is focused on compromise caused by a third-party or a downstream incident within an entity’s supply chain. Again, the Proposed Rule’s commentary notes that the impacts must be significant to meet this criterion.

The Proposed Rule also includes definitions for CSP, MSP, and Supply Chain Compromise. The incorporation of these definitions in the impact-based criteria could effectively mean that a Covered Entity that is impacted by a Substantial Cyber Incident accomplished through a third-party, even those incidents accomplished through a third party not in privity with the Covered Entity, would be a reportable Covered Cyber Incident.

“Ransom Payments”

The Proposed Rule also defines a Ransom Payment, which must be reported to CISA within 24 hours, as any transfer of money, property, or asset delivered in response to an extortion demand in connection with a Ransomware Attack. The proposed definition of Ransomware Attack generally covers any occurrence that actually or imminently jeopardizes an Information System or the information on that system without lawful authority that involves, but is not limited to, the use or threat of use of malicious code, denial-of-service, or “another digital mechanism” to interrupt or disrupt operations or the confidentiality, integrity, or availability of data in order to extort payment. This definition would include the use of malware to encrypt a victim’s system, but, if broadly read, may also include the theft or copying of data followed by an extortion demand.

Timing, Manner, and Content of Reports

The Proposed Rule covers four types of reports: Covered Cyber Incident Reports, Ransom Payment Reports, Joint Covered Cyber Incident and Ransom Payment Reports, and Supplemental Reports (collectively, “CIRCIA Reports”).

• Covered Cyber Incident Reports. CIRCIA requires that Covered Cyber Incident Reports be submitted to CISA not later than 72 hours after the Covered Entity develops a reasonable belief that the Covered Cyber Incident occurred. While the Proposed Rule’s commentary does not provide a specific definition for “reasonable belief,” it states that an entity may need to conduct a preliminary analysis to develop a reasonable belief that a Covered Cyber Incident occurred, which it says is a “much lower threshold” than confirmation of an incident. The commentary goes on to say that this preliminary analysis should be quick (i.e., hours rather than days) and that “reasonable belief” would be viewed from the perspective of a subject matter expert (not at the “executive officer level”).
• Ransom Payment Reports. Ransom Payment Reports must be submitted within 24 hours of disbursing payment, regardless of whether the payment relates to a reportable Covered Cyber Incident.
• Joint Covered Cyber Incident and Ransom Payment Reports. The Proposed Rule states that a Covered Entity can also make a Joint Covered Cyber Incident and Ransom Payment Report, if the payment relates to the Covered Cyber Incident. The Report must be submitted to CISA within 72 hours after the Covered Entity reasonably believes a Covered Cyber Incident occurred, but only if the Ransom Payment occurred within that 72-hour timeframe.
• Supplemental Reports. Until a Covered Cyber Incident “has concluded and has been fully mitigated and resolved,” a Covered Entity must “promptly” submit a Supplemental Report whenever “substantial new or different information” arises. Covered Entities can optionally submit a Supplemental Report solely to inform CISA that a Covered Cyber Incident “has concluded and has been fully mitigated and resolved.”
  • According to the commentary, “substantial new or different information” includes, but is not limited to, information the Covered Entity was required to provide as part of an earlier report but did not have at the time of submission or that needs to be corrected or supplemented, as well as information required for a Ransom Payment Report, if the Covered Entity makes a Ransom Payment after submitting an initial Covered Cyber Incident Report. In such case, the Supplemental Report regarding the Ransom Payment must be submitted within 24 hours of disbursing payment.
  • The commentary also states that the completion of two particular milestones is a “good indication” that an incident “has concluded and has been fully mitigated and resolved”: (1) the entity has completed an investigation of the incident, gathered all necessary information, and documented all relevant aspects of the incident; and (2) the entity has completed steps required to address the root cause of the incident (e.g., completed any necessary containment and eradication actions; identified and mitigated all exploited vulnerabilities; removed any unauthorized access).
  • The commentary adds that a Covered Entity should also have a good-faith belief that further investigation would not uncover any “substantial new or different information” about the Covered Cyber Incident.

The Proposed Rule creates differing content requirements for each type of required report. In general, Covered Entities must include identifying information about the Covered Entity, a description of the incident (including its impact), the tactics, techniques, and procedures (“TTPs”) of the threat actor, indicators of compromise (“IOCs”), the identity of the threat actor, if known, and, if a Covered Entity makes a ransom payment, details about the transaction.

The Proposed Rule indicates that CIRCIA Reports would be submitted through an online form on CISA’s web-based portal with exceptions for cases where the portal is not available to a Covered Entity (e.g., due to an ongoing cyber attack).

Data and Records Preservation Requirements

Under the Proposed Rule, Covered Entities would be required to retain an enumerated list of communications, IOCs, relevant logs, other forensic data, system information, information about exfiltrated data, ransom payment records, and any reports produced by the Covered Entity. According to the commentary, the preservation of such data helps serve certain “critical purposes,” including analyzing how a cyber incident was perpetrated, which may not be immediately identifiable, and supporting law enforcement investigations. Covered Entities must begin preserving these data and records from the earlier of either (a) the date upon which the entity establishes a reasonable belief that a Covered Cyber Incident occurred or (b) the date Ransom Payment was made. This information must then be preserved regardless of format or location, whether physical or electronic, for two years from the date the Covered Entity submitted its latest required report, including Supplemental Reports.

Exceptions

As discussed in our blog post, the Proposed Rule includes three exceptions to reporting requirements focused primarily on minimizing redundancies across regulated industries. Two of the exceptions are very narrowly tailored and apply to only Domain Name System (“DNS”) entities and federal agencies covered under the Federal Information Security Modernization Act. The third exception for “substantially similar reporting” appears broad on its face, but the Proposed Rule’s commentary indicates that few if any existing reporting requirements would likely qualify.

The substantially similar reporting exception applies where a Covered Entity provides a legally required incident report to another federal agency that contains substantially similar information, is provided in a substantially similar timeframe (i.e., 24 or 72 hours for ransom payments and cyber incidents, respectively), and can be shared within that timeframe under an information sharing agreement between CISA and the federal agency (each, a “CIRCIA Agreement”). When a CIRCIA Agreement is established, CISA will announce and catalog the agreement on a public-facing website. Only incident reports that are made to another federal agency associated with one of the publicly listed CIRCIA Agreements would qualify for this exception. Based on the commentary to the Proposed Rule, which does not include an example of an existing incident reporting requirement that would qualify, we expect CISA will apply this exception narrowly.

Enforcement

If a Covered Entity fails to make a required report or CISA believes a report is deficient or otherwise noncompliant, CIRCIA permits the CISA Director to engage with the entity to obtain the required information through a Request for Information (“RFI”). If the Covered Entity fails to respond or provides what the CISA Director determines is an inadequate response, the CISA Director can issue a subpoena to compel disclosure of the relevant information. If the Covered Entity fails to comply with the subpoena, the CISA Director can refer the matter to the U.S. Department of Justice (“DOJ”), which can bring a civil action to enforce the subpoena. Information provided in response to a subpoena is not subject to the information protections discussed below and may be referred to the DOJ or the head of a federal regulatory agency, if the CISA Director determines that facts related to the Covered Cyber Incident or Ransom Payment may constitute grounds for criminal prosecution or regulatory enforcement action. A Covered Entity may appeal a subpoena to CISA, after which the agency must issue a decision either enforcing or withdrawing the subpoena, which constitutes final agency action subject to judicial review. CISA also has independent authority to pursue other enforcement mechanisms for certain Covered Entities that do not comply with reporting requirements, including, for government contractors, potential suspension and debarment actions through referrals to the DHS Suspension and Debarment Official or another cognizant contracting official.

The Proposed Rule would adopt verbatim the enforcement discretion factors provided under CIRCIA (codified at 6 U.S.C. § 681d(e)), including the complexity in determining whether a Covered Cyber Incident occurred, whether the Covered Entity has had prior interactions with CISA, and the Covered Entity’s awareness of CISA’s reporting policies and procedures.

Protections for Information

The Proposed Rule also includes protections for information disclosed in a CIRCIA Report or in response to an RFI. The Proposed Rule provides an extensive list of protections for the treatment of information and restrictions on use, including, but not limited to:

• Exemption from disclosure under the Freedom of Information Act and similar state, local, or tribal laws;
• No waiver of “applicable privileges” provided by law, including attorney-client privilege and work-product protections;
• A prohibition on federal, state, local, tribal, or territorial governments on using information obtained from a CIRCIA Report or RFI to regulate or bring an enforcement action against a Covered Entity or any entity that made a ransom payment on behalf of a Covered Entity (subject to certain exceptions); and
• A prohibition on CIRCIA Reports or responses to RFIs (including any communication, document, material, or other record, created for the sole purpose of preparing, drafting, or submitting CIRCIA Reports or responses to RFIs) being received in evidence, subject to discovery, or otherwise used in any trial, hearing, or other proceeding in or before any court, regulatory body, or other authority of the U.S. or a political subdivision thereof.

Notably, these protections do not extend to information provided pursuant to a subpoena issued by CISA, which seems to indicate CISA’s intent to incentivize cooperation and affirmative reporting under CIRCIA reporting requirements and CISA RFIs.

Key Takeaways and Observations for Clients

As discussed at the outset, the Proposed Rule represents perhaps the most significant expansion of cybersecurity incident reporting regulation in the United States. While CIRCIA pertains only to incident reporting, the vast scope of the Proposed Rule would cover, in CISA’s own estimation, more than 300,000 entities. These entities will touch nearly every major industry, including financial services, telecommunications, information technology, aviation and other transportation providers, government contractors, oil and gas, healthcare, pharmaceuticals, manufacturing, food and beverage, education, and others.

Notwithstanding a Covered Entity’s ability to submit Supplemental Reports for information about a Covered Cyber Incident that is not yet known at the time an initial report is made, the Proposed Rule would require Covered Entities to disclose a significant quantity of detailed incident information in a short period at a time when entities are typically developing an understanding of what actually occurred. For clients currently operating in less-regulated sectors, the requirements could be onerous and might represent their first time being subject to cybersecurity reporting regulation. However, even clients in regulated sectors that are required to submit incident notifications, such as under the Defense Federal Acquisition Regulation Supplement, Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, or (in the near future) the European Union’s NIS2 Directive, may not be prepared to report on incidents in such short timeframes. Accordingly, organizations of all sizes and regulatory profiles that operate in or support other organizations in critical infrastructure sectors may need to adjust or develop processes to address these new requirements. This may require incorporating new processes into existing incident response and notification procedures, which may also need to be harmonized with any existing processes to notify regulators or to publicly disclose material cyber incidents, such as under the SEC Cybersecurity Disclosure Rule for publicly traded companies.

Understanding that the Proposed Rule is subject to change, clients should nonetheless be mindful of the following key takeaways.

• Covered Entity Determination. Clients will need to determine if they are a Covered Entity, which is a broad definition that might apply to an entire entity merely because a disparate segment of the organization meets a sector-based criterion. This will be especially important for clients in less regulated industries that have not been previously subject to incident reporting requirements and may not follow these matters closely.
• Entire Organization Is Covered. Further to the point above, Covered Entities may not be able to limit their reporting obligations to lines of business that own, operate, or support critical infrastructure. The Proposed Rule commentary notes that Covered Entities must report all Covered Cyber Incidents or Ransom Payments that impact their organization, even if those events are unrelated to critical infrastructure.
• Update Internal Procedures. Clients should consider updating their incident response plans and notification procedures to remain agile to account for this new requirement and others that we expect to develop over the next few years. Clients may need to gather and review significant amounts of detailed information in a short period of time and share it with CISA, while keeping in mind potential legal implications, as discussed below. Covered Entities may need to continue providing updates to CISA and preserve all relevant records as well.
• Incident Response Exercises. Given these new reporting obligations along with others developing across sectors and globally, clients should consider continuing to conduct exercises (or “tabletop exercises”) to test their readiness and decision-making processes.
• Legal Risk Considerations. Clients should consider how CIRCIA Reports could implicate other legal risks. For example, operational impacts that may necessitate submitting a CIRCIA Report could also require public disclosure under SEC disclosure requirements. Clients might also consider how to tailor their descriptions of the incident to avoid additional business or regulatory exposure, notwithstanding the protections discussed above. Additionally, there is added risk related to providing information in a report that changes over time and may be considered inaccurate when examined in the future, given the speed at which reports must be submitted. Accordingly, clients should carefully consider existing processes for drafting reports and how best to leverage the protections afforded under the Proposed Rule.
• Operational Technology Impacts. Incidents and ransomware attacks that trigger reporting include events that impact not only IT systems and data, but also OT, specifically including ICS, SCADA, DCS, PLC, and other technology related to cyber-physical systems. Clients with significant OT footprints (e.g., telecom, manufacturing, utilities, hospitals, oil and gas, food and beverage) may need to address a wider range of reportable incidents in their incident response plans.
• Third Party Compromise. Given the sweeping definition of Substantial Cyber Incidents, which incorporates third-party incidents (e.g., compromise of a CSP or MSP) and a Supply Chain Compromise, clients might consider the following to enable Covered Entities to meet their reporting requirements: (1) for clients that contract for such services, revising third-party agreements to require cooperation and swift information sharing in the wake of a cyber incident, or (2) for clients that provide such services, developing the capability to identify and share relevant information to customers. While clients may face challenges modifying existing contracts, they should still consider how to implement appropriate language in newly executed agreements or complying with such requirements as they are requested by customers.
• Narrow Exceptions and Duplicative Requirements. The proposed exceptions narrowly apply to DNS, federal agencies, and substantially similar reporting requirements. However, CISA has not yet identified any reporting requirements that would qualify under the latter exception. As a result, Covered Entities currently operating in regulated industries may not be exempt under the Proposed Rule.
• Potential Application to Clients that Operate Outside the U.S. The Proposed Rule could be interpreted to apply to incidents that occur outside the United States, if, as stated in the commentary, the Covered Entity that regularly operates outside the United States has “legal presence or standing” in the United States. In this regard, the term “entity” is not expressly defined, and there is no clear limitation on the inclusion of subsidiaries in that term. This raises the possibility that an entity (or its foreign affiliates) might have to report a Significant Cyber Incident affecting only the foreign affiliate. Likewise, the term “critical infrastructure” is not defined, but CIRCIA expressly adopts the term “critical infrastructure sector” from Presidential Policy Directive 21 (“PPD-21”), which was rescinded and replaced by National Security Memorandum 22 (“NSM-22”) on April 30, 2024. Both PPD-21 and NSM-22 state that facilities or assets located outside the United States can be considered critical infrastructure. Thus, CISA may hold that the Proposed Rule applies extraterritorially.

The Proposed Rule solicits feedback on numerous aspects of the regulation. Clients may submit feedback during the review and comment period, which was recently extended to July 3, 2024. Under CIRCIA’s rulemaking requirements, CISA is likely to publish the Final Rule in the Fall of 2025. 

If you have any questions concerning the material discussed in this client alert, please contact the members of our Data Privacy and Cybersecurity practice.