In one of the most significant cybersecurity policy reforms in recent memory, the Cybersecurity and Infrastructure Security Agency (CISA, part of the US Department of Homeland Security or DHS) has released its much-anticipated notice of proposed rulemaking (NPOR) to require critical infrastructure organizations to report cybersecurity incidents.
The move is intended to provide the federal government with better insight about breaches that affect highly sensitive entities, such as water and power utilities.
CISA developed the rules after President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) into law in March 2022; indeed, CIRCIA required CISA to do so.
Officials hope reports from companies in a range of industries will allow them to better spot attack patterns and determine tactics used by cybercriminals and nation states in order to help improve defenses.
That 2022 law was inspired in part by the SolarWinds hack, which highlighted the lack of information made available to the federal government about a breach that affected a critical infrastructure entity. It also represents one of the first steps by CISA to take on a more regulatory role role than an advisory one.
Reporting requirements
Under the rules, companies that own and operate critical infrastructure would need to report significant cyberattacks within 72 hours, and report ransom payments within 24 hours.
While they contain a series of detailed carve-outs, the rules generally require companies to report incidents that impact safety, lead to a disruption of services, or if the breach was carried out through a third party like a cloud service provider.
CISA regards attacks involving unlawful access to systems that result in downtime or significant impairments to operations to be the threshold triggering the reporting requirement. A denial-of-service attack with significant downtime for critical functions, or unauthorized access to a company’s systems through credentials of a third-party provider, would meet the criteria.
But a distributed-denial-of-service attack that temporarily stops customers from visiting a company’s public website wouldn’t qualify as substantial, nor would a successful phishing attack that is quickly halted without impact.
“It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”
Jen Easterly, CISA Director
The agency said it encourages companies to report all cyber incidents, whether or not they meet the regulatory threshold.
The 447-page NPOR details a large array of nuances for specific sectors and cyber incidents. (For example, the NPOR describes the applicability of its rules to Title IV-funded higher education programs, along with many other sectors and subsectors.)
The companies affected by the proposed rules include all critical infrastructure entities that exceed the federal government’s threshold for what is a small business.
The rules provide a series of different criteria for whether other critical infrastructure sectors will be required to report incidents. Some will be covered in their entirety, such as the chemical sector. Other critical infrastructure sectors, such as the information technology sector, will qualify based on criteria laid out in the framework.
Its list of exceptions to the cyber incidents that critical infrastructure operators will need to report is almost twice as long as the conditions that require reporting an incident so, length, nuance and complexity combined, it’s clear this document will need to be carefully read and evaluated.
“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” said CISA Director Jen Easterly in a statement. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”
SEC rules and CISA’s proposals
Last year, the SEC mandated that publicly traded companies report “material” breaches to investors. CISA’s rules are aimed at critical infrastructure organizations that experience cyber-related disruptions2, and CISA mandates much more granular details in terms of disclosure.
The reporting requirements certainly may overlap in some cases, though, and harmonizing them is something policymakers will need to do. CISA said it is taking steps to do so and will allow companies to substitute CIRCIA reporting with other rules in certain circumstances.
CISA expects the rules will cost industry and government combined around $2.6 billion between now and 2033 and anticipates receiving around 25,000 reports each year.
Ranking member of the House Committee on Homeland Security Bennie Thompson (D-MA), and Rep. Yvette Clark, (D-NY), said in a joint statement that they would like to see a reduction in compliance costs so additional resources can be invested in a company’s actual security.
In terms of penalties, CISA can pursue administrative ones such that if CISA believes a company has experienced a cyberattack or paid a ransom and hasn’t reported it, CISA can issue a request for information, followed by a subpoena if necessary to compel disclosure. And CISA can refer matters to the US Attorney General for civil proceedings if a company disregards a subpoena.
Knowingly making false statements to the federal government can incur fines and imprisonment, but CISA says it does not consider information given in good faith at the start of a cyberattack that later turns out to be inaccurate to be a false statement.
Timing and comments
The NPRM was posted for public inspection on Wednesday and will be open for public comment for 60 days. The NPRM and instructions for submission of public comment are available now on the Federal Register.
CISA said it consulted with various entities throughout the rulemaking process for the NPRM, including Sector Risk Management Agencies, the Department of Justice, other appropriate US agencies, and the DHS-chaired Cyber Incident Reporting Council, plus various non-federal stakeholders throughout the rulemaking process.
CISA will incorporate the feedback received during the NPRM public comment period in developing a final rule, which CISA is required to publish 18 months after the publication of the NPRM.
CISA encourages stakeholders to share information about cyber-related events that could help mitigate cybersecurity threats to critical infrastructure even before the rules are finalized.
The proposal is just that and it awaits comments from industry participants, advocacy groups and others.
Congress has heard testimony about even small businesses being the target of significant cyber attacks that could end up posing a harm to national critical functions and critical infrastructure. This, along with what US national security experts deem to be China’s increasingly aggressive operations targeting American critical infrastructure, means the rules are considered necessary and even overdue.
To underscore their importance, CISA encourages stakeholders to voluntarily share information about cyber-related events that could help mitigate current or emerging cybersecurity threats to critical infrastructure even before the rules are finalized and become effective.
Boards are likely to feel more pressure than ever to get from business leaders more details on how their IT, compliance and legal departments (among others) are prepared to comply with these challenging requirements.
Business leaders will need to decipher the rules; put policies and procedures in place (and/or update current ones) to meet the obligations; determine roles and responsibilities, address possible, new hiring and vendor needs; assess current resource capabilities, plus technology and reporting functionalities, among other things.