CISA Moves Toward Finalizing CIRCIA Reporting Requirements for Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) is in the midst of conducting town-hall meetings in advance of finalizing the rules implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA.

The rules will require covered entities to report “covered cyber incidents” to CISA within 72 hours and ransom payments within 24 hours. Covered entities’ reporting requirements will extend to incidents originating from supply-chain compromises and third-party vendors, such as cloud and managed service providers.

Companies that are potentially covered should evaluate whether to contribute to the rule-making process and start updating their cyber incident response planning to account for the new requirements, which have short deadlines and demand substantial detail.

Critical infrastructure includes the Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Government Facilities, Food & Agriculture, Healthcare & Public Health, Information Technology, Nuclear Power, Transportation, and Water & Wastewater sectors.

The anticipated topics of discussion in the town-hall meetings include criteria to determine which entities will be subject to new reporting requirements and what information they will have to submit. CIRCIA’s deadlines are tight, and the amount of technical information that CISA requires is substantial and detailed (even without thinking about CISA’s own cybersecurity mishaps).

CISA’s proposed rules include two sets of criteria for entities “in a critical infrastructure sector.” Under CISA’s proposal, an entity does not have to own or operate critical infrastructure systems or assets to be “in” a critical infrastructure sector. Rather, entities that “are active participants in critical infrastructure sectors and communities” can be considered to operate “in” a critical infrastructure sector. More guidance is available based on each sector’s Sector-Specific Plan (SSP).

An entity “in” a critical infrastructure sector will be subject to the rules if it either exceeds the Small Business Administration threshold for its industry or, for most critical infrastructure sectors, meets a sector-based criterion. Neither set of criteria has been finalized, and CISA is currently accepting feedback through the town-hall meetings.

Notably, the proposed rules apply the reporting requirements to entities, not to particular systems or assets. As a result, if any part of an entity is subject to the sector-based criteria in the proposed rule, the entire entity is subject to the reporting requirements. 

None of these scoping or definitional provisions have been finalized, and the town-hall meetings provide an opportunity for industry to have input. But companies that do business in or near a critical infrastructure sector should start evaluating their reporting obligations, particularly taking into account that the obligation extends to the entire entity, not just critical infrastructure assets. And companies that anticipate falling within the scope of the CIRCIA rules should start reviewing and updating their incident response plans to account for the new reporting regime.