CISA: The Proposed Cybersecurity Incident Reporting Requirements for Critical Infrastructure Companies

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) released a Notice of Proposed Rulemaking (NPRM) on April 4, 2024, that outlines new requirements for reporting cybersecurity incidents. Under the proposed rule, companies in critical infrastructure sectors would need to report significant cyber incidents within 72 hours and ransomware payments within 24 hours. The goal is to improve cyber threat awareness. The public can submit comments on the proposed rule by June 3, 2024.

This rule builds on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which mandates these reports.

What are the Entities Covered?  

The proposed CISA rule defines critical infrastructure entities that must report cyber incidents. These include companies in sectors like energy, financial services, telecommunications, defense, and education, among others. The rule offers two ways to determine if an entity is covered: by size or by sector. Businesses that exceed the Small Business Administration’s size standards or meet specific criteria within a listed sector (such as those providing essential public services or supporting defense operations) must comply, regardless of size.

These entities include those involved in:

• Critical chemical facilities
• Telecommunications (wire or radio communications providers)
• Defense support or handling defense-related data
• Bulk electric and distribution systems
• Financial services (owning or operating sector infrastructure)
• Emergency services (performing critical functions)
• Commercial nuclear power plants or related facilities
• Providers of essential public health services
• Information technology firms supporting election processes
• State, local, tribal, or territorial governments

In short, the rule applies broadly to those playing significant roles in national infrastructure, and CISA has emphasized that companies fitting these criteria should consider themselves covered without further evaluation. This wide-ranging scope aims to enhance security across sectors vital to national and public interests.

What Cyber Incidents are Covered? 

The NPRM outlines the definition of a “covered cyber incident” as one that is substantial, in line with CIRCIA’s requirements. A substantial cyber incident, under the proposed rule, includes those that result in a major loss of confidentiality, integrity, or availability of a company’s information systems; cause significant operational disruption; or grant unauthorized access to sensitive systems or data, especially through third-party providers or supply chain compromises.

Here are the causes that would require reporting of a substantial cyber incident under the NPRM:

• Compromised cloud service provider
• Managed services provider breach
• Third-party data hosting provider breach
• Supply chain compromise
• Denial-of-service attack (DDoS)
• Ransomware attack
• Zero-day vulnerability exploitation

These events meet the reporting threshold due to their potential to cause significant damage or disruption to a covered entity’s operations or data integrity.

What are the Reporting Requirements? 

The NPRM outlines key requirements for both initial and follow-up reports after a covered cyber incident:

• Timing:
  • Cyber Incident Reports: Must be submitted within 72 hours of forming a reasonable belief that an incident occurred.
  • Ransomware Payments: Must be reported within 24 hours of payment, considered made when disbursed by the company or authorized third party.
• Follow-up Reports: Required when new information emerges or original reports need updating.

Information to be Reported

1. Entity Identity: Legal names, addresses, website, and relevant critical infrastructure sector.
2. Contact Information: Phone numbers and emails for the entity or its authorized agent.
3. Third Party Authorization: Attestation if a third party submits the report.
4. Incident Description: Impacted systems, unauthorized access, and informational compromises.
5. Vulnerabilities & Security: Detailed info on vulnerabilities, failed security defenses, and attack methods used.
6. Perpetrator Information: Details on those believed to be responsible, including evidence and confidence level in attribution.
7. Mitigation/Response: Actions taken and their effectiveness, including any engagement with law enforcement or outside help.
8. Additional Information: Any other relevant data that CISA might request.

Ransomware-Specific Information

Reports on ransomware payments must also include:

• Whether stolen data was returned or decryption provided.
• Details of the ransom demand, payment method, and amount.

How are Cyber Incidents Enforced? 

If a covered entity fails to report a cyber incident, CISA has several enforcement options under CIRCIA, including:

• Issuing a Request for Information (RFI)
• Subpoenaing the entity
• Referring the case to the Attorney General for civil action
• Imposing penalties like suspension, debarment, or acquisition restrictions

CISA will consider the complexity of the incident and the entity’s prior interactions when deciding on enforcement.

Companies should assess if they fall under the NPRM’s scope and update their incident response strategies accordingly.

Need Help Preventing Incidents?

Boost your business’s efficiency, security, and scalability with Managed IT Services from Intech Hawaii. Our expert team provides tailored IT solutions designed to meet your unique needs. Contact us today for consultation, and let’s ensure your technology drives your success with the best IT Support Honolulu Hawaii has to offer.