The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) took another step toward fulfilling an obligation imposed by Congress in 2022 with the release of a notice of proposed rulemaking (NPRM) outlining requirements for critical infrastructure operators to report cyber incidents to the agency.
CISA’s proposal stems from the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which Congress passed in 2022 as part of an omnibus spending bill. The law requires entities in 16 critical infrastructure sectors defined in Presidential Policy Directive 21, including energy, to report relevant cyber incidents to CISA within 72 hours of occurrence, as well as when they make a ransom payment to the perpetrators of a ransomware attack. (See Budget Mandates Cyber Reporting for Critical Infrastructure.)
Authority for defining which incidents would be subject to reporting and which additional sectors, if any, the requirements would cover was left to CISA, which solicited input from industry with a request for information in 2022. Respondents to the RFI included NERC and the regional entities, which raised concerns about possible conflict between CISA’s potential final rule and the ERO’s Critical Infrastructure Protection (CIP) standards. (See NERC Calls for Flexibility in CISA Cyber Reporting Rules.)
CISA acknowledged these concerns in its NPRM, along with similar sentiments expressed by groups with their own reporting requirements, such as the Nuclear Regulatory Commission, Department of Energy and Federal Communications Commission. The agency said it doesn’t intend to use the authority granted by CIRCIA to replace existing regulations but “to fill … key gaps in the current cyber incident reporting landscape” created by the lack of a “comprehensive and coordinated approach” to cyber reporting in critical infrastructure.
The NPRM includes definitions of key terms such as:
-
- Cyber incident — “an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system.”
- Covered cyber incident — “a substantial cyber incident experienced by a covered entity.”
- CIRCIA report — a report of a covered cyber incident, ransom payment or both; or a supplemental report.
- Information system — a “set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information.” This definition is borrowed from the Paperwork Reduction Act of 1980. CISA added that operational technology resources also are explicitly included in the definition.
More general terms such as “cloud service provider” also are defined, while the term “covered entity” is included but not given a set definition. Instead, CISA said whether an entity is covered by the rule will depend on its size, along with sector-specific criteria. The agency also has proposed allowing third parties such as the E-ISAC or its counterparts in other sectors to submit reports on behalf of covered entities with their authorization.
Web-based Reporting to be Standard
Regarding the manner of reporting, CISA noted CIRCIA required the agency to provide a web-based form for submission of reports. In addition, CISA said it received multiple comments suggesting such a form “is the preferred manner for submission of CIRCIA reports.” As a result, CISA proposed making a web form the “sole explicitly identified option” for submitting incident reports, though it also suggested the final rule would provide for the agency’s director to approve other forms of reporting, such as by telephone or email or in person.
The content proposed for CIRCIA reports is, for the most part, explicitly required by the legislation and includes information such as the identity of the covered entity, the type of incident being reported, a detailed description of the incident, vulnerabilities that attackers may have exploited, the entity’s defenses and any mitigation or response measures.
CISA also plans to require entities to state whether they requested assistance from other entities and any engagement they have had with law enforcement agencies related to the ransom payment or attack. The agency said it may add other data to the requirements to keep up with changes in the cybersecurity landscape.
“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” CISA Director Jen Easterly said in a statement. “It will allow us to better understand the threats we face, spot adversary campaigns earlier and take more coordinated action with our public and private sector partners in response to cyber threats. We look forward to additional feedback from the critical infrastructure community as we move towards developing the final rule.”
Comments on CISA’s NPRM are due 60 days after its publication in the Federal Register on April 4.