Government agency CISA implements directive for mandatory reporting of significant events in essential infrastructure sectors
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) has been proposed, aiming to enhance the coordination of threat responses for critical infrastructure sectors. This act covers entities operating in sectors such as energy, water and wastewater systems, transportation, communications, and others essential to national security, public health, and safety [1].
Under CIRCIA, these entities are required to report specified "covered cyber incidents" and ransom payments to the government within strict timelines. Major incidents must be reported within 72 hours, while ransom payments need to be reported within 24 hours [1]. The purpose of this rapid reporting requirement is to facilitate timely information sharing between the impacted entities and federal cybersecurity agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA). This streamlined communication is intended to preserve evidence, reduce delays, and fragmentation in incident handling [1][3].
CIRCIA also aims to harmonize cyber incident reporting requirements across multiple federal agencies and sectors. By consolidating and streamlining federal cybersecurity incident reporting obligations, the act seeks to reduce regulatory complexity and improve overall cybersecurity posture [3].
The estimated cost of implementing CIRCIA is $2.6 billion over the period of analysis [4]. However, it's not clear whether entities like Change Healthcare, responsible for a recent attack affecting almost the entire healthcare sector, would fall under the current framework [5].
CISA Director Jen Easterly believes that CIRCIA will allow for earlier spotting of adversary campaigns and a better understanding of the threats faced by critical infrastructure [6][7]. The notice for the proposed rule was posted on the Federal Register site for public inspection on Wednesday [8]. The official publication is set for April 4, followed by a 60-day comment period to gather written responses from the public [9].
Critical infrastructure entities will also be required to report ransom payments within 24 hours under the proposed rule [1]. As a result, these organizations are encouraged to develop robust internal incident detection and reporting processes aligned with standards like the NIST Cybersecurity Framework, further supporting preparedness and response maturity [1].
Corporate stakeholders are interested in understanding whether their technology stacks make them potential targets and better comprehending the risk calculus of their infrastructure [10]. Entities like UnitedHealth Group, central to the recent cyberattack at Change, would be considered critical infrastructure providers under the current definitions [11].
The U.S. has designated 16 critical infrastructure sectors, but there may be further debate about which entities will be fully required to comply under the new rule [12]. The ultimate goal of CIRCIA is to help federal authorities better coordinate critical infrastructure threat responses, ultimately improving the nation's cybersecurity preparedness.
References: 1. [Link to Reference 1] 2. [Link to Reference 2] 3. [Link to Reference 3] 4. [Link to Reference 4] 5. [Link to Reference 5] 6. [Link to Reference 6] 7. [Link to Reference 7] 8. [Link to Reference 8] 9. [Link to Reference 9] 10. [Link to Reference 10] 11. [Link to Reference 11] 12. [Link to Reference 12]
Under CIRCIA, critical infrastructure entities are required to report specified "covered cyber incidents" and ransom payments within strict timelines, with major incidents to be reported within 72 hours and ransom payments within 24 hours [1]. To facilitate this, these organizations are encouraged to develop robust internal incident detection and reporting processes aligned with standards like the NIST Cybersecurity Framework [1]. Additionally, the proposed act seeks to improve cybersecurity posture by harmonizing cyber incident reporting requirements across multiple federal agencies and sectors [3]. As such, ransomware attacks and cybersecurity incidents will be closely monitored and addressed in a timely and efficient manner.
