On June 3, the public comment period closed for the U.S. Cybersecurity & Infrastructure Security Agency’s (CISA) Notice of Proposed Rule Making (Proposed Rule) under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CISA now has until October 2025 to make any modifications and publish its Final Rule.
What is CIRCIA?
CIRCIA was signed into law in March 2022 in response to a growing number of cyber threats and attacks on entities operating within certain critical infrastructure sectors. Under CIRCIA, companies within 16 critical infrastructure sectors will be required to report substantial cyberattacks within 72 hours “after the company reasonably believes the incident has occurred.” Ransomware payments must also be reported within 24 hours of being made. Companies must also retain certain documents for two years following the incident. CISA’s 447-page Proposed Rule, published this April, set forth the criteria for determining which companies are covered and which incidents must be reported.
Who Must Report?
CIRCIA applies to companies operating in “a critical infrastructure sector,” but the law itself does not define which companies are within those sectors. The Proposed Rule commentary, however, indicates that the definition is tied to the sector descriptions in the critical infrastructure Sector-Specific Plans that were developed in 2015 under Presidential Policy Directive 21.
The Proposed Rule further clarifies that for the reporting obligations to apply, the company must not only operate within one of the 16 critical infrastructure sectors, but also either (1) exceed the U.S. Small Business Administration’s (SBA) small business size standard or (2) meet certain sector-based criteria for 13 of the 16 critical infrastructure sectors. These sector-based criteria are independent from the SBA criteria. For example, healthcare facilities with fewer than 100 beds are not required to report incidents, but “critical access” hospitals would be required to report, regardless of size. (The Proposed Rule does not include any sector-based criteria for the Commercial Facilities, Dams, or Food and Agriculture sectors.)
What Must Be Reported and When?
The Proposed Rule generally requires companies to report “substantial” cyber incidents 72 hours after the company “reasonably believes” a covered cyber incident has occurred and 24 hours after a ransom payment has been made.
When is a cyber incident “substantial”?
A cyber incident would be “substantial” if it leads to any of the following:
- A substantial loss of confidentiality, integrity, or availability of an information system or network.
- A serious impact on the safety and resiliency of operational systems and processes.
- A disruption of a company’s ability to engage in business or industrial operations or deliver goods or services.
- Unauthorized access to information systems or networks, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud-service provider, managed-service provider or other third-party data hosting provider, or a supply chain compromise.
Examples of substantial cyber incidents include: (1) a distributed denial-of-service (DDoS) attack that renders a company’s services or goods unavailable to customers for an extended period, (2) a cyber incident that encrypts a core business or information system and/or (3) unauthorized access to a company’s business systems using compromised credentials from a managed-service provider.
But not every incident will be reportable under the Proposed Rule. For example, a DDoS attack that only results in a brief period of unavailability of a company’s website that does not provide critical functions or services to customers would not require a report, nor would a cyber incident that results in only minor disruptions or the compromise of a single user’s credential. Malicious software being downloaded also would not be reportable if antivirus software successfully precludes it from executing.
So, for example, a DDoS attack that only temporarily stops customers from visiting a company’s website would not be substantial, whereas, a similar DDoS attack with significant downtime for critical functions would meet the criteria.
When must a company report an incident?
The Proposed Rule recognizes that a company’s “reasonable belief” that a covered incident has occurred is subjective. In many cases, a company will need to perform some “preliminary analysis” before reaching a reasonable belief that a cyber incident has occurred. CISA indicated in its Proposed Rule, however, that any preliminary analysis “should be relatively short in duration (i.e., hours, not days) before a ‘reasonable belief’ can be obtained, and generally would occur at the subject matter expert level and not the executive officer level.”
What must a company report?
Under the Proposed Rule, a company would be required to submit incident reports on a web-based portal, including all of the following:
- A narrative description of the incident, including the impacted information systems, a timeline of the incident, and its operational impact.
- A description of any vulnerabilities, as well as the covered entity’s security controls.
- The tactics, techniques, and procedures (TTPs) used by the perpetrator and any associated indicators of compromise.
- Whether any third parties, including law enforcement, were engaged for assistance, and the identities of those third parties.
For ransom payment reports, CISA requires similar information plus details about the ransom demand amount, the date of the payment, the amount paid, and the outcome of the ransom payment.
What Does CISA Do with the Information?
With new reporting obligations come concerns about how the disclosures might be used. Although they do not affect a reporting company’s liability for the incident itself, CIRCIA provides certain protections for these reports. Information provided to CISA may only be disclosed or used by a federal agency for (1) a cybersecurity purpose; (2) identifying a cybersecurity threat or a security vulnerability; and (3) responding to or mitigating a specific threat of death, serious bodily harm, or serious economic harm. No enforcement action may be taken based solely on the submission of a report or response to a request for information from CISA. In addition, reports, responses, and related communications may not be admitted as evidence, subjected to discovery or used in any legal proceedings. A covered entity may designate its report as “commercial, financial, and proprietary information” if it desires, and reports are exempt from disclosure under the Freedom of Information Act (FOIA) and similar laws.
What Happens for Failure to Report?
The Proposed Rule grants CISA authority to issue subpoenas to companies compelling disclosure of information “if there is reason to believe that the entity experienced a covered cyber incident or made a ransom payment but failed to report the incident or payment …” If a company fails to comply or provides an inadequate or false response, CISA may refer the inquiry to the U.S. Department of Justice to bring a civil action or pursue acquisition penalties, suspension or debarment.
What’s Next?
CISA has until October 4, 2025, to make any modifications and publish its Final Rule. CISA expects the final rule to come into effect in early 2026. While companies will not be required to report cyber incidents or ransom payments until the Final Rule goes into effect, CISA has encouraged all companies to voluntarily share information in the interim.
How Can Companies Prepare?
Many companies in highly regulated industries will already have written information security programs that will need to be modified to account for this new 72-hour reporting requirement. For companies within a critical infrastructure sector that do not currently have written information security programs, including written incident response plans, devising such plans and running desktop simulations will be crucial in preparing for the implementation of the Final Rule. As CISA has indicated, companies will be expected to conduct a preliminary analysis of an incident in “hours, not days.” Thus, a company’s written response plan should be a familiar document to IT, information security, legal, and executive employees.