CISA Regulations Regarding Cybersecurity Incidents and Critical Infrastructure Proceeding

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was passed in 2022. That law required covered entities who are part of so-called “critical infrastructure” to report cybersecurity incidents and ransomware payments to the Federal government. For cyber incidents, the law required reporting to CISA within 72 hours and for ransomware payments, the reporting is required within 24 hours—both tight turnarounds.

The law tasked CISA-the federal government’s cybersecurity and infrastructure security agency-with coming up with rules and regulations for implementing that law. CISA published proposed rules for comment in 2024. Earlier this year, CISA was to hold a series of town halls to allow for public comment on those proposed rules and to offer thoughts on the implementation of the law, but, those were postponed due to a lapse in Department of Homeland Security funding. With funding now restored, CISA has started to hold those town halls.

What has emerged from the submitted comments and these meetings is several concerns from entities covered by the law, which may offer some insight on the ultimate implementation of the 2022 law. While CISA has not released any information on their final rules and are still collecting submitted materials for consideration, the following issues do appear to be the main focus of interested groups.

Definition of Covered Entities

One concern centered on what entities were to be considered “critical infrastructure.” Under the law, CISA is tasked with defining who is and who is not considered critical infrastructure. CISA recognizes sixteen (16) critical infrastructure sectors[1] “whose assets, systems, and networks, whether physical or virtual, are considered vital to the United States….” These sectors, however, cover a very wide swath of industries and businesses (from nuclear reactors to strip malls).

Not surprisingly, many comments on the proposed rules and participants in the town hall meetings wanted CISA to exercise that discretion to define “critical infrastructure” narrowly. Entities who view themselves as on the edge or even outside of actual critical infrastructure voiced support for focusing instead on the most critical of the critical infrastructure. One entity voiced concern that too broad of a definition of covered entity could lead to the collection of too much information to be valuable to truly be valuable. Other concerns were centered on the burden that this level of reporting would place on entities who are not really part of what has classically been considered critical infrastructure.

Some entities, however, wanted the definition to be expanded—at least in part—to cover technology companies and other providers of services to critical infrastructure. These concerns focused on making sure that the entities who were likely to suffer the cybersecurity incidents and have the most relevant information (on what happened, how it occurred, and what steps were needed to address the issue) were required to report in place of, or at a minimum, in addition to the entity operating in the critical infrastructure space. For instance, while educational institutions often use vendor software in connection with their education services and it’s that vendor and its software that is likely to be the target of an attack. Making the educational institution responsible for reporting was described as an unfair burden on an entity without direct access to most (if not all) of the necessary information.

Definition of a Cyber Incident

Another key area of concern for comments on the proposed rules and again at the town hall meetings was making sure that the definition of a “cyber incident” was of appropriate scope. Numerous commentors wanted the definition to focus on (1) verified incidents and (2) incidents that resulted in harm. The concern was that keeping the 72-hour deadline for reporting cyber incidents but not limiting reporting to verified incidents (which, some argued could often take longer than 72 hours to confirm) or not limiting reporting to incidents resulting in harm, could lead to over-reporting of unverified attacks and inconsequential cyber incidents. Large institutions are routinely subject to hundreds of attacks a day. Most of those attacks are dealt by their IT systems and protections and are inconsequential. But, if the definition of cyber incidents under this law were to include such “routine” attacks, entities would be forced to report on them all, which, it was argued, would add burdensome requirements on entities while doing nothing for cybersecurity preparedness. Similarly, if incidents that impact operations are forced to be reported before they can be verified, reports may be made regarding equipment failures or other technical issues that may initially be suspected to be an attack but are ultimately determined to not result from malicious actions.

Accordingly, CISA was urged to make the definition of “cyber incident” narrow enough to exclude routine penetration attempts and to allow entities time to verify an attack prior to being subject to the 72-hour reporting requirements.

Consistency and Interrelation with Other Reporting Requirements

Still other entities voiced concerns with having yet another reporting requirement introduced in a space already filled with such requirements. These entities voiced concern that, as a part of critical infrastructure, they were already required to report cybersecurity incidents to a number of agencies, governments, and entities with oversight responsibilities. Adding another reporting requirement, would be burdensome and problematic unless it was properly coordinated with the information already required to be reported to those other entities. They voiced support for CISA working with other agencies in this space that require reporting to share information and coordinate reporting responsibilities to avoid duplication and extra work.

Conclusion

With CISA still in the process of fielding comments about its proposed rules, there are a lot of questions around next steps. CISA has said that it will accept materials and will be evaluating comments from the town halls and so it is unclear when final rules under CIRCIA will be propounded. It is also important to note that CISA is also dealing with some other issues. CISA’s budget was cut by $707 million. It has reduced its workforce by a third and has not had a Senate-confirmed permanent director since the current administration took office last year. So, while we can expect that final rules for implementing CIRCIA will be coming, when those rules will be provided, what they will say, and, ultimately, whether there will be anyone or any budget to enforce those rules are yet to be seen

[1] The sixteen categories of critical infrastructure sectors listed on the CISA website are: chemical, commercial facilities, communication, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government services and facilities, healthcare and public health, IT, nuclear (reactors, materials, and waste), transportation, and water/wastewater.  

This publication is intended for general informational purposes only and does not constitute legal advice or a solicitation to provide legal services. The information in this publication is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional legal counsel. The views and opinions expressed herein represent those of the individual authors only and are not necessarily the views of Clark Hill PLC. Although we attempt to ensure that postings on our website are complete, accurate, and up to date, we assume no responsibility for their completeness, accuracy, or timeliness.