This month, the Department of Homeland Security (“DHS”) Cybersecurity and Infrastructure Security Agency (“CISA”) released its long-awaited proposed draft regulations pursuant to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA” or the “Act”).

The Act was enacted on March 15, 2022, following several significant and disruptive cyberattacks on critical infrastructure in the United States. The Act requires certain covered entities to report cyber incidents and ransom payments within short time periods, specifically:

  1. within 72 hours after a covered entity “reasonably believes that [a] substantial cyber incident has occurred,” and
  2. not later than 24 hours after making a ransom payment that results from a ransomware attack against a covered entity.

Many of the details on how the Act will be implemented were left to public rulemaking by CISA, which published its draft regulations in the Federal Register on April 4, 2024 (“Proposed Rule”). The Proposed Rule (totaling over 400 pages) adds significant requirements and clarifications for companies who will be required to report under CIRCIA. This article summarizes some of the key details from the Proposed Rule.

To What Companies Does CIRCIA Apply?

While the Act includes a definition for the term “covered entity,” the statute explicitly requires CISA to further clarify the meaning of that term through its CIRCIA rulemaking.[1] Specifically, the Act defines “covered entity” as “an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21.”[2] The Presidential Policy Directive 21 (“PPD-21”), Critical Infrastructure Security and Resilience, which was issued in February 2013  establishes a national policy on critical infrastructure security and resilience, encompassing assets, systems, and networks (whether physical or virtual) associated with critical infrastructure sectors. The sixteen sectors identified as critical infrastructure are: (1) chemical, (2) commercial facilities, (3) communications, (4) critical manufacturing, (5) dams, (6) defense industrial base, (7) emergency services, (8) energy, (9) financial services, (10) food and agriculture, (11) government facilities, (12) healthcare and public health, (13) information technology, (14) nuclear, (15) transportation, and (16) water and waste water systems.

In its Proposed Rule, CISA proposed to include as covered entities, entities that meet two threshold criteria:

1. Size-Based Criteria

The first group of entities that CISA is proposing to include as covered entities are entities within a critical infrastructure sector that exceed the U.S. Small Business Administration’s (SBA) small business size standard. The SBA standards are expressed either in number of employees or annual receipts in millions of dollars, depending on the classification of the particular business (using the North American Industry Classification System code).

2. Sector-Based Criteria

CISA is also proposing to include in the scope of covered entity any entity that meets any of the following proposed sector-based criteria:

  • any entity that owns or operates a covered chemical facility subject to the Chemical Facility Anti-Terrorism Standards (Chemical Sector).
  • any entity that provides communications services by wire or radio communications, as defined in 47 U.S.C. 153(40), 153(59), to the public, business, or government (Communications Sector).
  • any entity that owns or has business operations that engage in primary metal manufacturing; machinery manufacturing; electrical equipment, appliance, and component manufacturing; or transportation equipment manufacturing (Critical Manufacturing Sector).
  • any contractor or subcontractor required to report cyber incidents to the Department of Defense pursuant to DFARS 48 C.F.R. § 252.204-7012 (Defense Industrial Base Sector).
  • any entity that provides (1) law enforcement, (2) fire and rescue services, (3) emergency medical services, (4) emergency management, and/or (5) public works that contribute to public health and safety services or functions to a population equal to or greater than 50,000 individuals (Emergency Services Sector).
  • any entity that is required to report cybersecurity incidents under NERC’s CIP Reliability Standards or required to file an Electric Emergency Incident and Disturbance Report OE-417 form, or any successor form, to the Department of Energy (Energy Sector).
  • certain financial services entities that have the potential to impact the economic security of the nation if victimized by a covered cyber incident (Financial Services Sector).
  • state, local, tribal, and territorial government entities that serve a jurisdiction with a population equal to or greater than 50,000 individuals; certain entities related to education; and certain entities involved with election processes (Government Facilities Sector).
  • any entity that (a) knowingly provides hardware, software, systems, or services to the Federal government; (b) developed and continues to sell, license, or maintain any software that meets the definition of “critical software” as that term was defined by NIST pursuant to Executive Order 14028; (c) is an original equipment manufacturer, vendor, or integrator of Operational Technology (OT) hardware or software components; or (d) performs functions related to domain name operations (Information Technology Sector).
  • any entity that owns or operates a commercial nuclear power reactor or fuel cycle facility (Nuclear Reactors, Materials, and Waste Sector).
  • certain entities that own/operate certain non-maritime transportation system infrastructure, such as freight railroad, public transportation and passenger railroads, pipeline facilities and systems, over-the-road bus operations, passenger and all-cargo aircraft, indirect air carriers, airports, and Certified Cargo Screening Facilities; own/operate vessel, facility, or outer continental shelf facilities subject to 33 C.F.R. parts 104, 105, or 106; that are required to implement a TSA-approved security program under 49 C.F.R. parts 1542, 1544, 1548, and 1549; or that own/operate assets subject to the Maritime Transportation Security Act (Transportation Systems Sector).
  • any entity that owns or operates a Community Water System, as defined in 42 U.S.C. § 300f(15), or a Publicly Owned Treatment Works that serve more than 3,300 people (Water and Wastewater Systems Sector).

Note, CISA did not propose further sector-based criteria for three sectors: the Commercial Facilities Sector, the Dams Sector, and the Food and Agriculture Sector. Rather, it will rely on the size-based criteria to capture the largest entities in these remaining sectors.

What Are the Reporting Requirements for Covered Entities?

CIRCIA requires covered entities to report (1) covered cyber incidents, (2) ransom payments made in response to a ransomware attack, and (3) any substantial new or different information discovered related to a previously submitted report to CISA.[4]

Reporting Covered Cybersecurity Incidents

The Proposed Rule will require covered entities to report – or have a third-party report on the covered entity’s behalf – a substantial cyber incident experienced by a covered entity. CISA proposes the term “substantial cyber incident” be defined as a cyber incident that leads to any of the following impacts:

  1. substantial loss of confidentiality, integrity, or availability of a covered entity’s information system (including OT) or network;
  2. serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
  3. disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
  4. unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.

Under the Proposed Rule, a cyber incident that actually results in any one of the listed impacts would be a substantial cyber incident, triggering reporting. The proposed definition also does not hang on the cause of the incident. Therefore, incidents where the covered entity is not yet able to confirm root cause may still trigger the reporting requirements if the incident otherwise meets the reporting criteria.

CISA provided several examples of what would, and would not, qualify as a substantial cyber incident under the Proposed Rule including the following.

Examples that likely would qualify as “substantial cyber incidents”Examples that likely would NOT qualify as “substantial cyber incidents”
A distributed denial-of-service attack that renders a covered entity’s service unavailable for an extended period of time.

A cyber incident that significantly increases the potential for a release of a hazardous material used in chemical manufacturing or water purification.

A cyber incident that disrupts the ability of a communications service provider to transmit or deliver emergency alerts or 911 calls, or results in the transmission of false emergency alerts or 911 calls.

A ransomware attack that locks a covered entity out of its industrial control system.

Unauthorized access to a covered entity’s business systems caused by the automated download of a tampered software update, even if there is no known data exfiltration.

Unauthorized access to a covered entity’s business systems using compromised credentials from a managed service provider.

The intentional exfiltration of sensitive data in an unauthorized manner for an unauthorized purpose, such as through compromise of identity infrastructure or unauthorized downloading to a flash drive or online storage account.  		A denial-of-service attack or other incident that only results in a brief period of unavailability of a covered entity’s public-facing website that does not provide critical functions or services to customers or the public.

Cyber incidents that result in minor disruptions, such as short-term unavailability or a temporary need to reroute network traffic.

The compromise of a single user’s credential, such as through a phishing attempt, where compensating controls (MFA) are in place to preclude use of those credentials to gain unauthorized access to systems.

Malicious software is downloaded to a covered entity’s system, but antivirus software successfully quarantines the software and precludes it from executing.

A malicious actor exploits a known vulnerability, which a covered entity has not been able to patch but has instead deployed increased monitoring for TTPs associated with its exploitation, resulting in the activity being quickly detected and remediated before significant additional activity is undertaken.

CISA also clarifies its interpretation of the Act to require reporting at any point during the occurrence of the covered cyber incident. For example, if an entity discovers that it experienced a covered cyber incident two years ago that has continued into the present (given that entity is a covered entity at the time of discovery) CISA’s Proposed Rule would require that entity to submit a report.

Reporting Ransom Payments

The Proposed Rule also requires a covered entity to report any ransom payment, including payments made where the underlying ransomware attack that led to the ransom payment is not a covered cyber incident. The Proposed Rule would trigger the 24-hour reporting requirement upon disbursement of the payment by the covered entity or a third party directly authorized to make a payment on the covered entity’s behalf.

Supplemental Reports

The Act also mandates that a covered entity promptly provide CISA with updates or supplements in certain circumstances. Under the Proposed Rule, such reports are triggered by information that (1) is responsive to a required data field in a covered cyber incident report that the covered entity was unable to substantively answer at the time of submission of that report or any supplemental report related to that incident, or (2) shows that a previously submitted report  is materially incorrect or incomplete in some manner.

A covered entity is required to provide these supplemental reports unless and until it has notified CISA that the underlying covered cyber incident has concluded and been fully mitigated and resolved.[5]

How to Submit Reports

CISA is proposing that a covered entity submit CIRCIA Reports through the web-based CIRCIA Incident Reporting Form on CISA’s website.

Next Steps for the Rulemaking Process

The Draft Regulations are open for public comment for 60 days from the publication of the draft rules in the Federal Register (until June 3, 2024). Comments may be submitted at www.regulations.gov and must reference the Federal Docket Number CISA 2022-0010.

For more information about these developments, contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Security team.

[1] 6 U.S.C. § 681b(c)(1).

[2] 6 U.S.C. § 681(4).

[3] In the Proposed Rule, CISA acknowledged that these entities are already subject to reporting requirements under the Health Information Portability and Accountability Act (HIPAA) and the Federal Trade Commission Health Breach Notification Rule (HBNR); however, CISA noted that those breach reporting requirements focus on impact to certain data and not other cybersecurity incidents potentially covered by CIRCIA.

[4] 6 U.S.C. § 681b(a)(1)-(3).

[5] 6 U.S.C. § 681b(a)(3).