CISA Publishes Draft Federal Rules for Cyber Incident Reporting

The?Cybersecurity and Infrastructure Security Agency (CISA)?has taken a significant step toward enhancing America’s cybersecurity. They recently released a draft of a proposed rule that outlines how covered entities operating in critical infrastructure sectors should report cyberattacks and ransomware payments to the federal government.

Here are the key points from the proposed rule:

A)?? Reporting Obligations:

i). Entities operating in critical infrastructure sectors will be?required?to report?“covered cyber incidents”?within?72 hours?after reasonably believing a cyber incident has occurred.

ii). Additionally, they must report?ransom payments?within?24 hours?after making the payment.

B)?? Preservation Requirement:

i). The proposed rule includes a significant requirement: entities must?preserve materials?used to create the report. This includes items like the threat actor’s ransom note, logs, and forensic artifacts.

ii). These materials must be preserved for a period of?two years.

C)??? Applicability:

The proposed rule applies to both?large businesses?and the?critical infrastructure sector.

D)?? Consequences of Noncompliance:

Failure to comply with the reporting obligations can lead to an entity being?subpoenaed?and ultimately referred to the?Department of Justice.

Whom Does this Proposed Rule Apply To?

The proposed Rule encompasses a broad range of entities and businesses based on two distinct criteria: size and sector.

A)?? Size Threshold:

i). A business could fall within the Rule’s scope based solely on its size, even without a direct connection to a critical infrastructure sector.

ii). Conversely, a small entity that aligns with the defined sector would have reporting obligations, regardless of its size.

iii). Specifically, if an entity exceeds the small business size standard specified by the applicable North American Industry Classification System (NAICS) Code in the U.S. Small Business Administration’s Small Business Size Regulations (as outlined in 13 CFR part 121), it will be categorized as a covered entity under the proposed rule.

B)?? Sector-Based Criterion:

Entities operating in the following critical infrastructure sectors, provided they meet specific thresholds, will also be classified as covered entities under the proposed rule:

i). Critical manufacturing

ii). Emergency services (e.g., law enforcement, fire and rescue, emergency medical services, etc.)

iii). Energy

iv). Education

v). Financial services

vi). State, local, tribal, or territorial governments

vii) Public health

viii). Information technology

ix). Nuclear reactors, materials, and waste

x). Transportation systems

xi). Water and wastewater systems

xii). Chemical facilities

xiii). Communications (radio / wire or radio services)

The proposed rule is set to be published in the?Federal Register?on?April 4, 2024.

You can access an?unpublished version?of the proposed rule?here (pdf) .

CISA’s Rulemaking Authority:

• CISA derives its rulemaking authority from the?Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
• CIRCIA was signed into law by?President Biden?in?March 2022?as part of the?Consolidated Appropriations Act of 2022.
• According to CIRCIA, CISA’s director was required to publish proposed rules implementing reporting requirements within?24 months?of CIRCIA’s enactment (by no later than?March 2024), leading to the release of this proposed rule.

The final CIRCIA rule must be published within?18 months?of the proposed rules, or by no later than?September 2025.