On March 27, 2024, the Cybersecurity and Infrastructure Security Agency (“CISA”) published a Notice of Proposed Rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which imposes new reporting requirements for entities operating in critical infrastructure sectors. The CIRCIA was originally enacted in part as a response to recent attacks on critical infrastructure, such as the ransomware attack on Colonial Pipeline in May 2021, but CISA’s proposed regulations take a surprisingly broad view of who may be considered a covered entity and what incidents are reportable.

Who Qualifies as a Covered Entity

Covered entities are limited to the 16 critical infrastructure sectors laid out in the Presidential Policy Directive on Critical Infrastructure Security and Resilience Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems.

Organizations are generally expected to be able to self-identify if they operate in a particular sector, but the types of entities that would be considered participants in a given sector are also described in greater detail by Sector-Specific Plans that are readily available on the CISA website. Across sectors, CISA has created both size-based and sector-specific criteria to determine which entities are considered “covered entities,” with the aim of receiving a broad range of reports from those organizations that are likeliest to be targeted by cybersecurity attacks or would have the greatest impact on critical infrastructure if they were to suffer an attack, and also have the resources to implement cybersecurity measures that would be responsive to CISA regulations.

Size-Based Criteria:

All entities in critical infrastructure that exceed the small business size standards set forth by the Small Business Administration—that is, any that are not considered “small businesses”—automatically qualify as covered entities.

Sector-Based Criteria:

CISA’s sector-based criteria captures smaller entities that may not meet the size threshold but are nonetheless considered “high-risk,” such as critical access hospitals in rural areas, owners and operators of nuclear facilities, and large school districts. Many of these criteria overlap with pre-existing regulatory reporting requirements. For example, government contractors or subcontractors with reporting obligations to the DOD or DOE for cyber incidents, or financial services entities that are already required to report cyber incidents to their primary federal regulator would be considered “covered entities” under the CIRCIA. There are no sector-based criteria for the Commercial Facilities, Dams, or Food and Agriculture sectors, where the entities that would likely impact national security, economic security, or public safety are already identified by size.

What Qualifies as a Covered Cyber Incident

A covered incident is a cyber incident that leads to any of the following:

  • a substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
  • a serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
  • a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
  • unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.

Note that this definition covers the listed impacts regardless of cause, and can include compromises not only to the covered entity itself but also to cloud service or managed service providers, third-party data hosting providers, supply chain operators, etc., that provide services to the covered entity.

Reporting

There are four circumstances that trigger a reporting requirement under the CIRCIA.

  1. A covered entity experiences a covered cyber incident
  2. A covered entity makes a ransom payment as a result of ransomware attack against the entity.  
  3. Substantial new or different information becomes available related to the covered cyber incident before it has concluded and been fully mitigated.  
  4. A covered entity makes a ransom payment after it has already filed a covered cyber incident report.  

CISA has proposed four report types, one per type of triggering event, to be filed by covered entities or third parties filing on behalf of covered entities through a web-based form called the “CIRCIA Incident Reporting Form.” Regardless of type, all reports will require covered entities or third parties filing on behalf of covered entities to indicate:

  1. Report type
  2. Identity of the covered entity
  3. Contact information
  4. Third-party authorization (if third-party reporting on behalf of a covered entity)  

Covered Cyber Incident Reports

When a covered entity experiences a covered cyber incident, the covered entity or an authorized third party must file a covered entity cyber report no “later than 72 hours after the covered entity reasonably believes that a covered incident has occurred.”

Understanding that it may not always be immediately apparent that a cyber incident has occurred, CISA expects that entities may need to perform a preliminary analysis before having a “reasonable belief” that it experienced a covered cyber incident. Generally, CISA anticipates that this analysis should be fairly quick, a matter of hours rather than days.

Once a covered entity reasonably believes it has experienced a covered cyber incident, it or its authorized third party must report it as a Covered Cyber Incident via the CIRCIA Incident Reporting Form. At this stage, the covered entity or its authorized third party should be prepared to provide as much of the following information as possible (CISA acknowledges that at this stage in an incident investigation, an entity may not have all of the information yet.)

  • A description of the function if affected information systems and network devices
  • A description of the unauthorized access and extent of the information compromise or impact
  • A description of any disruption to business or industrial operations resulting from the unauthorized access
  • The incident date range
    • Date incident began
    • Date incident was detected
    • Date incident was mitigated and resolved (if applicable)
    • Duration of the unauthorized access prior to detecting and reporting it (If applicable)
  • A description of the vulnerabilities exploited and security defenses in place
  • The type of incident and a description of the tactics, techniques, and procedures (TTPs) used to perpetrate the incident
  • A description of how the incident was detected and any indicators of compromise  (IOCs)
  • Information related to the perpetrator’s identity

Additionally, when reporting, a covered entity or its authorized third party must, if possible, submit a copy or sample of any malicious software it believes is connected to the incident.

Ransom Payment Reports

When a covered entity or a third party acting on the covered entity’s behalf makes a ransom payment as a result of ransomware attack, it or its authorized third party must report the payment via a Ransom Payment Report within 24 hours of making the payment.

CISA considers a payment to have been made when the payment is disbursed. When filing the report, a covered entity or its authorized third party must provide the following information:

  • A description of the ransomware attack
  • A description of the vulnerabilities exploited and security defenses in place
  • Information related to the identity of the perpetrator
  • The details of the ransom payment:
    • Date of payment
    • Manner of payment requested (type of virtual currency or other commodity)
    • Payment instructions
    • Payment amount
  • The verbatim text or screenshot of the actual demand (if multiple demands or payments were made, a covered entity must report each one)
  • The aftermath of the payment (data returned, decryption keys provided, etc.)
  • The identity of any entities who assisted the covered entity in responding to the ransomware attack or making the payment
  • The information related to any law enforcement engagement related to the payment

Joint Cyber Incident and Ransom Payment Reports

Where a covered entity has made a ransomware payment within the 72 hour window of reaching the belief that a covered incident has occurred, it or its authorized third party may file a Joint Cyber Incident and Ransom Payment Report.

Supplemental Reports

Under two sets of circumstances, a covered entity could be required to file a Supplemental Report to a previously filed report.

  1. The covered entity obtains “substantial new or different information.” In this instance, the Supplemental Report would serve to either fill the gaps in a previously filed Covered Cyber Incident Report, Ransom Payment Report, or Joint Cyber Incident and Ransom Payment Report or act as an amendment to a previously filed report. In the latter case, the additional information would show that the previously filed report is materially incorrect or incomplete.
  2. The covered entity makes a ransom payment after it has filed a Covered Cyber Incident Report.

Supplemental reports should be filed “promptly” which CISA interrupts to mean within 24 hours of discovering new or different information or of making a ransom payment.

Reporting Exceptions

There are three circumstances in which a covered entity may be entirely exempted from filing a CIRCIA Incident Report.

Combined Report

As discussed above, a covered entity can submit a single Joint Cyber Incident and Ransom Payment Report to report both a covered cyber incident and ransom payment. This submission is appropriate where the covered entity makes a ransom payment within the 72 hour window of reporting the covered cyber incident.

Substantially Similar Report

If a covered entity is legally required to report substantially similar information within a substantially similar timeframe to another federal agency with whom CISA has an information sharing agreement and mechanism, the covered entity does not also need to report under the CIRCIA.

In order for this exception to apply, CISA must be able to receive the information from the other federal agency within the same timeframe it would have received the information had the covered entity reported directly to CISA. This means that if the other federal agency requires reporting an incident within 72 hours of a covered entity reasonably believing it occurred, the federal agency must have an instantaneous information sharing mechanism in place with CISA so that CISA may receive the report with its required 72 hour time frame.

The CIRCIA proposes to call these information sharing mechanisms “CIRCIA Agreements” and CISA will announce and catalogue all these agreements on its public facing website. If a covered entity reports to another federal agency with which CISA does not have a CIRCIA Agreement, this exception will not apply and the covered entity will also have to report to CISA.

Domain Name Exception

Covered entities or functions within a covered entity that are owned-operated or governed by a multi-stakeholder organization that develop, implement, or enforce policies relating to the Domain Name System (DNS) will be exempt from reporting a covered cyber incident to CISA.

Preservation Requirements

The CIRCIA also proposes to impose data and information preservation requirements on covered entities. Specifically, CIRCIA will require covered entities to propose information related to:

  • Communications between the covered entity and the threat actor
  • Indicators of compromise
  • Relevant log entries, memory captures, and forensic images
  • Network information and traffic related to the incident
  • System information that may help identify the exploited vulnerabilities
  • Information related to any exfiltrated data
  • Data and records related to any ransom payment made
  • Any forensic or other report related to the covered incident

A covered entity should begin to preserve these records at either (1) the date upon which the entity establishes a reasonable belief that a covered cyber incident has occurred, or (2) the date upon which the ransom payment is made, whichever is earlier. A covered entity has to then preserve these records for two years from the submission date of its latest required CIRCIA report.

In terms of manner of preservation, a covered entity needs to preserve these records so that the covered entity may easily retrieve them to respond to a government request. Additionally, covered entities should take reasonable measures to protect the preserved information against unauthorized access, disclosure, deterioration, deletion, destruction, and alteration.

Note that a covered entity is not required to create any records or data it does not already have in its possession. This preservation requirement only applies to records and data that an entity has created or will create regardless of the CIRCIA.

Personal Information

Although CISA has not included specific notification requirements for compromised personal information, covered incident reports may include whether any personal information was compromised, and covered entities should take care to preserve records related to any personal information impacted by the incident. CISA has proposed a broad definition of personal information that extends beyond what is typically considered notifiable under state and federal regulations, including but not limited to:

  • identifying information such as photographs, names, home addresses, direct telephone numbers, and Social Security numbers; and
  • information that does not directly identify an individual but is nonetheless personal, non-public, and specific to an identified or identifiable individual, such as medical information, personal financial information (e.g., an individual’s wage or earnings information; income tax withholding records; credit score; banking information), contents of personal communications, and personal web browsing history.

Unlike the definition provided in the Cybersecurity Information Sharing Act of 2015, CISA does not require that the information be “known at the time of sharing” to be personal information.

Enforcement

The CIRCIA provides various enforcement methods for CISA to use if CISA believes that a covered entity failed to report a covered cyber incident or ransom payment in accordance with CISA’s proposed regulatory reporting requirements. These mechanisms include:

  • the issuance of a Request for Information (RFI);
  • the issuance of a subpoena, ;
  • a referral to the Attorney General to bring a civil action in District Court to enforce a subpoena and/or pursue a potential contempt of court; and
  • other enforcement proceedings such as acquisition penalties, suspension, and debarment.

CISA must consider the following factors when determining whether to exercise its enforcement authority: the complexity of determining whether a covered cyber incident has occurred, the covered entity’s prior interactions with CISA, and the covered entity’s understanding of the policies and procedures for reporting covered cyber incidents and ransom payments. 

The enforcement provisions of CIRCIA do not apply to State, Local, Tribal, or Territorial (SLTT) Government Entities.

Request for Information (RFI)

Under the CIRCIA, the CISA Director can issue an RFI and may also formally designate another individual (or more than one individual) as having the authority to issue an RFI. RFIs are applicable in two scenarios: (1) when an entity fails to report a covered cyber incident or a ransom payment; and (2) when the CISA would like additional information following a covered entity’s submission of a report. This means that the CISA may issue RFIs for failure to submit a Supplemental Report, or if it finds a report to be deficient or noncompliant.

The CIRCIA provides liability protection for any person or entity that submits a CIRCIA Report or information in response to an RFI. CIRCIA reports and RFI responses are also considered the commercial, financial, and proprietary information of a covered entity when so designated by the entity (there is an option to choose this when submitting). The reports and RFI responses are not considered a waiver of any applicable privilege or protection.

Note that an RFI is not a final agency action, so the issuance of an RFI cannot be appealed.

Subpoenas

If the CISA Director has not received an adequate response to an RFI within 72 hours of issuance, the Director may issue a subpoena to compel disclosure of information. This includes information that the Director deems necessary to determine whether a covered cyber incident or ransom payment has occurred, and to assess potential impacts of the incident on national security, economic security, or public health and safety.

Responses to subpoenas do not receive the same protections as information in a CIRCIA Report or information submitted in response to an RFI. Notably, subpoenaed information may be shared with certain law enforcement and regulatory officials. CISA is proposing this approach so that the unavailability of protections will incentivize covered entities to comply with the applicable regulation or an RFI.

Attorney General Referrals

If a covered entity fails to comply with a subpoena, the CISA Director may refer the matter to the Attorney General to bring a civil action in a district court of the United States to enforce the subpoena. A court may punish a failure to comply with a CIRCIA subpoena as contempt of court.

Acquisition Penalties, Suspension, and Debarment

The CISA Director must refer all circumstances of a covered entity’s noncompliance that may warrant suspension and debarment action to the DHS Suspension and Debarment Official. The CISA Director has the power to provide information regarding a noncompliant entity who has a procurement contract with the Federal government to the Attorney General and to the contracting official responsible for oversight of the contract in question.

Penalties for False Statements and Representations

Any person who knowingly and willfully makes a materially false or fraudulent statement or representation in connection with, or within, a CIRCIA Report, RFI response, or reply to an administrative subpoena is subject to penalties. CISA interprets “materially false or fraudulent statements or representations relating to CIRCIA” to potentially include knowingly and willfully doing any of the following:

  • submitting a CIRCIA Report for an incident that did not occur
  • claiming to be a representative of a covered entity whom you do not in fact represent
  • certifying you are a third party authorized to submit on behalf of a covered entity when you do not have authorization, and
  • including false information within a CIRCIA Report, RFI Response, or response to an administrative subpoena.

A report that a covered entity reasonably believes to be true at the time of submission, but later learns is incorrect, is not a false statement or misrepresentation if the entity submits a Supplemental Report reflecting the new information.

Penalties for making false statements and representations include a fine or imprisonment for no more than five years. The maximum penalty for making false statements and penalties increases to eight years imprisonment if the false statement is related to international or domestic terrorism or certain sexual offenses.

Additionally, materially false or fraudulent statements or representations in submissions to CISA do not receive the protections and restrictions afforded to CISA Reports and RFI responses.

Key Takeaways

  • Businesses that may not have expected to be affected by the CIRCIA should carefully review whether they fall under CISA’s new definitions and be prepared to report on cyber incidents in the event the proposed rules are adopted.
  • CISA requires covered entities to report covered cyber incidents no later than 72 hours after they reasonably believe a covered incident has occurred or within 24 hours of making a ransom payment after a ransomware attack, and is empowered by various enforcement mechanisms to take action against covered entities that fail to do so.

Reports on incidents should include descriptions of: the affected information systems and network devices and their functions; the extent, impact, and date range of the incident; the vulnerabilities exploited and security defenses in place; the TTPs used to perpetrate the incident; how the incident was detected and any IOCs; and any information related to the perpetrator’s identity.