IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Long-Awaited Cyber Incident Reporting Rules Taking Shape

CISA has published a draft of a new set of federal rules that require critical infrastructure entities to report cybersecurity incidents and ransomware payments, opening it up to comments.

Rows of data points in blue with the word "cyber attack" among them in red, double exposed over the silhouette of an electricity pylon just after sunset.
The federal government is offering the public its first look at a long-anticipated cyber incident reporting rule.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will, when implemented, require critical infrastructure entities to inform the federal government when they suffer a significant cyber incident or pay ransomware extortion.

CIRCIA is intended to “help preserve national security, economic security, and public health and safety,” the Cybersecurity and Infrastructure Security Agency (CISA) said in its 447-page initial Notice of Proposed Rulemaking, which was published Wednesday.

The goal is to help the federal government better analyze threat trends and identify tactics, techniques and procedures. CISA could also more quickly both warn potential victims and assist others. In addition, new insights could help software developers make safer products.

CIRCIA could also pave the way for stronger policy responses. Cybersecurity experts have said the U.S. needs more ransomware incident reporting to better understand threats and to make informed decisions.

The draft will get an update, with CISA slated to publish an official version on April 4. Stakeholders will have 60 days to submit feedback at http://www.regulations.gov. The final rule is expected 18 months later.

All told, CIRCIA is expected to require reporting from 316,244 entities, per the agency.

But the notice identifies key areas of debate that emerged as CISA developed the draft rule, as well as CISA’s proposed approach and reasoning.

States making their own cybersecurity reporting laws have debated how promptly to require disclosure. CIRCIA gives an entity 72 hours to report a qualifying cyber incident. Entities also have 24 hours to report after they pay ransomware extortion, or a third party does so on their behalf. The goal is to get information quickly enough that CISA can analyze details to alert other targets in time, but slow enough to avoid disrupting initial response efforts or accuracy of reporting. Under the proposal, organizations would submit updated and additional information later, as they learn more about incidents.

Much debate has also gone into how to define the type of entities and incidents this covers.

Some stakeholders warned CISA that requiring too many entities and too many kinds of incidents could overwhelm the agency. But CISA concluded that improved data management tools and procedures can handle a lot of information.

Some stakeholders also stressed making a user-friendly reporting process, which CISA aims to do via a web form. CISA also aims to provide safeguards around information in reports, including exempting them from public record requests and ensuring entities are civilly liable based on information they report.

CISA also aims to reduce duplication. For example, proposing a CIRCIA exception for organizations that already provide very similar reporting on similar timelines to another federal entity.

CISA estimates that implementing the rule will cost the public and private sector a combined $2.6 billion from 2023 through 2033. Those expenses include technology and personnel government needs for receiving, analyzing and sharing reported information, along with private entity costs associated with learning about and complying with the requirements.

Still, these are rough estimates made with uncertainty because they work around big knowledge gaps. For example, CISA doesn’t know how many reports to expect, among other details.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.