On March 15, 2022, President Biden signed an omnibus spending bill into law, which, in part, requires companies to report cyber incidents and ransom payments.  The relevant portions of the law, titled the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) proposes reporting requirements for incidents, establishes new programs to curtail ransomware attacks and encourages information sharing between government agencies.

Reporting Requirements

The Act will require a “covered entity” to report any “substantial cyber incident” to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours after the covered entity reasonably believes the incident has occurred. The term “covered entity” means an entity in the critical infrastructure sector, defined in Presidential Policy Directive 21 as an entity with systems and assets of such importance to the United States that the destruction of those system and assets would debilitate national security or public safety. Covered entities may operate in a number of critical infrastructure sectors, including energy, financial services, food and agriculture, healthcare, and information technology. The Act’s final rule will further refine and provide clarity as to which entities will fall under the Act’s definition of “covered entity.”

Similarly, what constitutes a covered cyber incident for reporting purposes is not fully defined, but will include:

  • a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
  • a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability[1]; or
  • unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

Further, the Act will require a covered entity to report ransom payments to CISA within 24 hours of payment.

Although the specific requirements of a report under the Act will be defined by the rulemaking at a later date, the Act does state that the following general elements must exist in any mandatory report:

  • identification and description of the potentially affected systems;
  • description of the unauthorized access;
  • estimated date of the incident, and, if applicable, date of ransom payment;
  • a description of the operational impact sustained due to the attack;
  • categories of information that are believed to have been accessed or acquired by the attacker;
  • tactics, techniques and procedures used by the attacker and vulnerabilities exploited;
  • any attacker contact information, including, if applicable, ransom payment transaction details, amount, and instructions;
  • the specific entity impacted, and, if applicable, the entity who paid the ransom; and,
  • contact information that CISA may use to contact the entity, including a request for related service provider contact information.

Third parties, such as law firms, will be able to make reports on behalf of a covered entity. Entities are require to make supplemental reports when substantial developments arise until the covered entity notifies CISA of the incident’s resolution.

In addition, the Act will require covered entities to preserve information relevant to the cyber incident or ransom payment.

Reporting Exceptions and Protections

The Act’s cyber incident and ransomware reporting requirements may not apply to entities that are required by law or contract to report similar information to another federal agency within a similar timeline. While the Act does not specify the specific reporting exemptions, but it is likely referring to incident reporting requirements that apply to other critical infrastructure operators, like airlines and pipeline operators.

According to the Act, reports made pursuant to this Act do not waive any legal protection or privilege. In addition, reports are exempt from FOIA disclosure as well as any other state, Tribal, or local freedom of information law.

New Government Programs

The Act establishes an intergovernmental Cyber Incident Reporting Council, consisting in part of CISA, the Attorney General, the National Cyber Director and the Director of the Office of Management and Budget. The Council’s goal is to streamline federal incident reporting requirements and establish a number of requirements for ongoing briefing on the national cyber threat landscape to congress. Additionally, the Act lays out a Ransomware Vulnerability Warning pilot program and Joint Ransomware Taskforce to aid in the government’s contributions to fight ransomware and provide threat intelligence to the private sector.

Furthermore, the Act allows for interagency sharing of reports for cybersecurity purposes and mandates that any other agencies that receive reports must pass that report to CISA within 24 hours.  CISA will then coordinate further sharing of the report.

Work to be Done

Although additional clarity is needed, it is clear that the federal government is serious about federal reporting requirements.   Accordingly, companies should begin evaluating their processes around incident response and detection to determine how they will comply with the new requirements.

 

[1] The National Institute of Standards and Technology defines a zero day vulnerability as a previously unknown hardware, firmware, or software vulnerability.