If you are an owner and operator of critical infrastructure -- such as an Internet service provider, a middle mile provider, or an operator of a education or library network -- you need to be ready for the CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
In March 2022, President Joe Biden signed into law the federal CIRCIA law. CIRCIA requires that owners and operators of critical infrastructure report cyber incidents and ransom payments to the Cyber Security and Infrastructure Security Agency (CISA). The purpose of the new law is so that CISA can deploy resources faster and help victims of cyber attacks. Also CISA wants to be able to spot trends, and share this information in a time sensitive manner to warn other potential victims.
After the new law passed, CISA undertook a long public process that began with the issuance of a Request for Information which asked a lot of questions about how CISA should implement the new law. It asked what types of incidents should be reported, about reporting timelines, how to harmonize the new law with dozens of existing regulatory requirements, implications for third parties, and enforcement and liability questions. Notably, CIRCIA gave CISA subpoena power and other enforcement tools.
After CISA conducted a number of national listening sessions to gain input from stakeholders across the nation, CISA got to work and is about to issue a Notice of Proposed Rulemaking this month (March 2024) with proposed rules, subject to public comment. The final rules must be issued 18 months after publication of the NPRM, in September 2025.
While the rules are not yet final, the current set of draft rules say that network operators must report covered cyber incidents within 72 hours and ransom payments within 24 hours.
Why was CIRCIA necessary? One big reason was that there is a need to harmonize dozens of cyber incident reporting requirements. Congress established a Cyber Incident Reporting Council (CIRC) and CIRC found that there is 52 in-effect or proposed federal cyber incident reporting requirements. Forty-five requirements are currently in effect across 22 agencies. And for energy utilities and communications providers, there is a lot of duplication of reporting requirements. This is why CIRC suggested streamlined reporting. The work that is being done include having model definitions of a reportable or covered cyber incident, model reporting timelines and triggers, a model reporting form for cyber incidents, streamlined sharing of reports and information, common terminology, and common ways to update and supplement a cyber report.
I recommend keeping an eye on the proposed rules and consider commenting on them.
