The proposed rulemaking for CIRCIA, a pivotal cybersecurity law impacting critical infrastructure, offers important details on the act, like who is a 'covered entity' and what makes up a 'substantial' cyber incident.
.png?width=1600&height=900&name=CIRCIA%20NPRM%20(1).png)
With the delivery of a 447-page proposed rule from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) passed in 2022 has moved into the congressional rulemaking stage.
CIRCIA requires ‘covered entities’ to report ‘substantial’ cyber incidents within 72 hours. Similarly, if a ransom payment is made, it must be reported within 24 hours of the transaction being completed. CIRCIA also spurred the Department of Homeland Security (DHS) to create an intergovernmental Cyber Incident Reporting Council to standardize reporting requirements. The Joint Ransomware Task Force, another interagency organization combating ransomware, was also created through CIRCIA.
CISA has encouraged people to report cyber incidents for a while, aiming to gather information on cyber threats and help organizations that are likely to be targeted. CIRCIA’s mandates are a sign that cybersecurity, and more specifically, cyber incident reporting is a new priority to the federal government.
CIRCIA was signed into law on March 15, 2022, and is going through the rulemaking process. Two years after being enacted, a Notice of Proposed Rulemaking (NPRM), was posted on March 27, 2024. This means that the final rule will likely come well into the second half of 2025, as CISA is required to publish it 18 months after the NPRM is released. At the moment, the NPRM is open for public comment for 60 days - until June 3, 2024.
CISA will take the comments (instructions on how to make your own comments can be found here) into consideration when making the final rule. The Cybersecurity and Infrastructure Security Agency says that it worked with many federal agencies (like the Department of Justice) as well as non-federal stakeholders during the rulemaking process, so collaboration appears to be a large part of the journey.
The NPRM shares a lot of detail on what CIRCIA will look like. CISA estimates that the rule would cost $2.6 billion over the period of analysis, and that more than 316,200 covered entities would be affected by the rule. The document explains that Sector-Specific Plans (SSPs) can be used to check what, if any, sector an organization can be sorted into, and that the “overwhelming majority of entities, though not all, are considered part of one or more critical infrastructure sector.”
The notice also provides important definitions; a covered entity is “an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21…”, and a substantial cyber incident is “a cyber incident that leads to any of the following:
(a) a substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
(b) a serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
(c) a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
(d) unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.”
While it may be a while until the final rule for CIRCIA is released, many people are looking forward to it. Jen Easterly, Director of CISA said in a press release that "CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure. It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats. We look forward to additional feedback from the critical infrastructure community as we move towards developing the Final Rule."