The federal government is one step closer to requiring approximately 315,000 businesses to report cyber incidents and ransomware payments. 

For context, in March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) into law in part as a response to attacks on critical infrastructure, such as ransomware attacks against major pipelines. While the overarching requirements were already established by the law, CISA is now in the process of issuing regulations to implement the law. The Cybersecurity Coalition previously submitted comments to an Advanced Notice of Proposed Rulemaking for CIRCIA, and now CISA is seeking comments on an updated proposed rule.

The proposed rule is open for comments for 60 days, until June 3. Following this, CISA will have 18-months to issue a final rule, approximately by October 4, 2025. CISA expects the final rule would come into effect in early 2026. The Cybersecurity Coalition and other organizations are requesting an additional 30-day extension for comments. 

A lot of organizations assume that CIRCIA doesn’t apply to them because “we’re not critical infrastructure.” Consequently, they may not have looked at the proposed regulation, which is considerably broader than the owners and operators of critical infrastructure.

‍Who is required to report?

Importantly, the reporting requirements would not only apply to “critical infrastructure,” but organizations in a critical infrastructure sector.

To put it simply, CISA proposes a surprisingly broad scope –  CIRCIA’s reporting requirements would apply to either:

1. All entities within a critical infrastructure except small businesses.
2. All entities within a critical infrastructure sector that meet one or more sector-based criteria. 

In other words, even if an entity qualifies as a small business, the proposed rule will apply if that entity satisfies a sector-based criterion. 

What are the critical infrastructure sectors?

CIRCIA draws its definition of critical infrastructure from Presidential Policy Directive 21 (PPD-21). This directive identified 16 critical infrastructure sectors encompassing much of the US economy – i.e., information technology, health, transportation, commercial facilities, etc. We suggest organizations review the Critical Infrastructure Sector Profiles and Sector-Specific Plans to determine if they fall “within a critical infrastructure sector.”

It’s important to note that CIRCIA doesn’t just apply to entities that fall under the traditional definition of critical infrastructure – it also may apply to participants “in the sector” even if the entity itself is not a critical infrastructure.

What type of cyber incident must be reported? 

Covered entities must report substantial cyber incidents, which includes any of the following:

• A substantial loss of confidentiality, integrity, or availability of a covered entity's information system or network.
  
• A serious impact on the safety and resiliency of a covered entity's operational systems and processes.
  
• A disruption of a covered entity's ability to engage in business or industrial operations, or deliver goods or services.
  
• Unauthorized access to a covered entity's information system, network, or nonpublic information.

These cyber incidents must be reported regardless of the cause - including if the compromise occurs via a cloud service provider, managed service provider, or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; or exploitation of a zero-day vulnerability.

However, a covered cyber incident does not include threats of disruption as extortion, or events perpetrated in good faith in response to a request by the system owner or operator. Although this exemption benefits security researchers who might unintentionally trigger an incident, its scope is limited, leaving uncertainty about whether Vulnerability Disclosure Policies (VDPs) would fall under this exception as well.

What are the reporting requirements? 

The requirements include:

• Covered Cyber Incident Reports – Must be shared no later than 72 hours after the covered entity reasonably believes the covered cyber incident has occurred.
  
• Ransom Payment Reports – Must be shared no later than 24 hours after a ransom payment has been paid.
  
• Supplemental Reports – Must be shared “promptly,” which CISA views as within 24 hours of (i) new or different information becoming available, or (ii) a ransom payment being made after a covered incident was already reported. 

What information needs to be in the report? 

All CIRCIA reports must include information regarding the entity’s identity. Additional information depends on the type of report that is submitted. 

Broadly, covered cyber incident reports must include information of the affected functions, technical details of the networks or devices, compromised information categories, the entity’s security protocols, the impact of the incident on operations, information on any mitigation activities and other information. 

In addition to all information required in a covered cyber incident report, ransom payment reports must further include information on the payment demand, amount and types of assets used in the payment, identity of the recipient, the form of payment requested, the ransom payment instructions, and transaction identifiers.

Are there exceptions?

There are some exceptions that apply to reporting on covered cyber incidents and ransom payments. For the private sector, the most notable is the “substantially similar reporting” exception. Covered entities may be exempted from submitting CIRCIA reports if the entity is already required to report cyber incidents to another federal agency. However, for the exemption to apply, CISA and the other federal agency must have a “CIRCIA Agreement” in place that establishes information sharing mechanisms with CISA.

What protections do covered entities have?

The proposed rule would protect information that covered entities share in cyber incident reports, ransom payment reports, supplemental reports, or follow-up requests for information from CISA. These special protections include restricting use of the information as a basis for regulatory investigation or as evidence in any enforcement proceeding. In addition, such information does not waive any privileges and is not subject to FOIA.

However, submitting a cyber incident report does not absolve an organization from liability for the cyber incident. Although reports under CIRCIA cannot be used as the sole basis for an enforcement action against a covered entity, a regulator could still bring an action against an entity if there is an independent basis to do so. In addition, agencies can still use cyber incident reports as the basis for a sector-wide regulatory action – as distinct from an action against individual entities. 

Are there penalties for non-compliance? 

CISA can pursue penalties against non-compliant entities, including issuing requests for information, subpoenas, referral to the Attorney General, acquisition penalties, and suspension or debarment from federal government business. Making false statements in connection with a CIRCIA report may incur criminal penalties.

* * * 

For more detailed information on the CIRCIA proposed rule, please check out Venable’s client alert here. 

‍