On March 15th, 2022, President Biden signed a significant cybersecurity law that will affect private companies that operate critical infrastructure. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will require covered entities to report within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA) if they reasonably believe a “covered” cybersecurity incident has occurred. Further, covered entities will need to report any ransomware payments to CISA within 24 hours. Supplemental reports to CISA are also required if the covered entity becomes aware of substantially new or different information.

Background

In the past few years, a global trend has shown an increased amount of sophisticated cyber attacks and ransomware incidents against critical infrastructures. CIRCIA is intended to provide the federal government with the necessary information needed to effectively respond to ransomware attacks and other cyber threats against the nation’s critical infrastructure. The Director of CISA has released a statement explaining how CISA intends to use the reported information to rapidly deploy resources, aid victims suffering from attacks, and warn other potential victims.

When Does CIRCIA Take Effect?

The effective date for the requirements under CIRCIA will be determined by the Director of CISA in a Final Rule. The Director was given 24 months from March 15, 2022, to publish the proposed rulemaking. The agency will then have an additional 18 months from the date of publication to release a Final Rule.

Who Does CIRCIA Apply to?

As noted above, CIRCIA requires reporting by “covered entities” when they reasonably believe they have been the victim of a “covered cyber incident”. A covered entity is “an entity in a critical infrastructure sector” which is defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” By this standard, CIRCIA reporting requirements apply to a wide array of private companies within the following designated critical infrastructure sectors:

1. Chemical  
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Defense Industrial Base
7. Emergency Services
8. Energy
9. Financial Services
10. Food and Agriculture
11. Government Facilities
12. Health Care and Public Health
13. Information Technology
14. Nuclear Reactors, Materials, and Waste
15. Transportation Systems
16. Water and Wastewater Systems

Currently, there are no limitations on covered entities in terms of company size or revenue. The definition, however, will be further refined in the Final Rule.

What is Covered Under CIRCIA?

CIRCIA requires the reporting of all “covered cyber incidents” within 72 hours. A “covered cyber incident” is “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule issued pursuant to section 2242(b)”. Although what is encompassed in this definition will also be refined in the Finale Rule, CIRCIA does provide that, at minimum, disclosure is required for cyber incidents that:

1. Lead to loss of confidentiality, integrity, or availability of such information system or network, or has a serious impact on the safety and resiliency of operational systems and processes.
2. Disrupts business or industrial operations due to a denial of service attack, a ransomware attack, or exploitation of a zero-day vulnerability, against an information system or network; or an operational technology system or process.
3. Results in the unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

CIRCIA also requires the reporting of all ransomware payments within 24 hours. If a covered entity makes a ransomware payment before reporting a cyber incident, it must file a single report with CISA. If a ransomware payment occurs after reporting a covered cyber incident, a second report within 24 hours of payment will be required.

CIRCIA will also require supplemental reporting if facts materially change, a ransom payment is made, or if the incident is resolved and is “fully mitigated”. For example, if a ransomware payment occurs after reporting a covered cyber incident, a second report will be required within 24 hours of payment.

In addition to the reporting requirements described above, covered entities are required to maintain all relevant data; the procedures behind maintaining relevant data will be established in the Final Rule.

What Should the Reports Include?

The Final Rule will also determine what is required within the reports under CIRCIA. However, at a minimum, the reports to CISA must include:

1. A description of the affected systems, the unauthorized access, and the impact on operations; and
2. The estimated date range of the incident.

What Steps Should Be Taken?

Although there is uncertainty as to when CIRCIA will take effect and what the Final Rule will encompass, entities that provide critical infrastructure should actively monitor the proposed rules. Those entities should evaluate the potential implications for their business and be prepared to begin reporting once the Final Rule is published.

For entities that are likely to become subject to CIRCIA, they will be well-served to preemptively implement enhanced cybersecurity protocols, update their incident response plans and data preservation policies, and refine their internal reporting procedures.

For more information on this topic, or to learn how Godfrey & Kahn can help, contact a member of our Data Privacy & Cybersecurity Practice Group.