Reporting Cyber Incidents under DHS CIRCIA’s Proposed Rulemaking
By Larisa Breton, Jason Smith and Patrick Miller
The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on April 4, 2024 published its proposed rules requiring critical infrastructure entities to report significant cyber incidents and ransom payments to CISA. The proposed regulations, stemming from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), 6 CFR Part 226, 89 FR 23644 pp. 23644-23776, are intended to consolidate, fortify, and strengthen the United States’ cyber defenses in critical infrastructure (CI) sectors.
Despite an existing patchwork of federal, state, and local regulations, as well as voluntary reporting, CIRCIA was proposed and passed with CISA’s intent to institute a comprehensive, national approach to gathering and reporting information on cyber incidents across critical infrastructure sectors. While the proposed rules represent a watershed moment in the national fight against cyber threats to CI, significant and coordinated efforts by government and industry will be needed to refine the regulations and to balance the contrasting imperatives of speed, accuracy, compliance with existing frameworks, and redundancy of other regulatory burdens.
Summaries and analysis of these factors follow the topline providing basic facts and details about the proposed CIRCIA regulations.
Topline summary of the proposed rules
Who is covered by CIRCIA?
Bottom Line Up Front, the only CI entities not affected by CIRCIA are those that provide DNS naming services (the DNS Exception); those who have “substantially similar” reporting requirements (the Susbstantially Similar Exception), and those Federal Agencies subject to the Federal Information Security Modernization Act (FISMA) reporting requirements.
CISA proposes that “covered entity” subject to compliance and enforcement is any business or entity that exceeds (is greater than) the small business size standard by the applicable SBA Standards’ North American Industry Classification System Code (NAICS). Entities carrying multiple NAICS codes will need to proceed very carefully with respect to this requirement should it become statutory.
However, CISA also is using a cross-cutting criteria that is sector-based, and has promulgated a list of sectoral criteria for coverage consideration published in Section IV.B iv2.a and i in the proposed rulemaking. The Information Technology (IT) and Operant Technology (OT) sectors are definitively included in the proposed rules due to their role as vectors of cascading effects.
When do the CIRCIA regs take effect?
The regulations take effect after CISA has gathered public comments, performed review, and it has made any additional desired amendments to the proposed rules.
What triggers a reporting requirement?
The new law requires CISA to define what a “covered cyber incident” is that triggers a reporting requirement. CISA is proposing to define the term "covered cyber incident” to mean, “a substantial cyber incident experienced by a covered entity.” Substantial, per CISA, is defined as an incident that leads to a) substantial loss of C-I-A of a covered entity’s information system or network; b) a serious impact on the safety and resiliency of a covered entity’s operational systems and processes; c) a disruption of a covered entity’s ability to engage in industrial operations or to deliver goods and services; or d) unauthorized access to a covered entity’s system or network, or any nonpublic information therein, that is the result of a cloud service, MSP, other third-party provider, or supply chain compromise. Only one of these four types of incidents needs to be met in order to trigger the reporting requirement, and covered incidents must entail the actual impacts described, not the threat or possibility of these impacts. Also required is reporting if a covered entity not is threatened with, but pays, a ransom. Nor is attribution or tactics/tools/procedures causing the significant event considered relevant when reporting to CISA.
What does not trigger a reporting requirement?
The proposed rule does not require reporting for “lawfully authorized” government activity (including warrants or judicial review); incidents “perpetrated in good faith” by another party at the request of the covered entity’s information system owner; or extortions that threaten disruption.
How must covered CI entities report cyber incidents?
CISA proposes a 72-hour window to make a report after incident discovery, using a CISA-provided format to an online reporting repository. The four types of reports defined by CISA are called Covered Cyber Incident Reports, Ransom Payment Reports, and Supplemental Reports, respectively.
How will CIRCIA be enforced?
Safe harbor will be provided to those that comply and report in accordance with CIRCIA. CISA, generally, will monitor compliance in order to investigate potential violations; enforcement actions could include penalties, fines, or other directive enforcement measures for covered entities that fail to report or those that provide inadequate responses. The enforcement structures are designed to escalate and provide incentive to cooperate.
Response/Comment window:
Covered CI entities have until June 3, 2024 to respond to the proposed regulations with comments and related materials. Responses are to be directed to:
Federal eRulemaking Portal at https://www.regulations.gov
Docket No. CISA-2022-0010
Contact: Todd Klessman, CIRCIA Rulemaking Team Lead, CISA
circia@cisa.dhs.gov, (202) 964-6869
Responses should include the docket number. CISA notes that all responses posted to the rulemaking portal will be published, including personal or corporate information provided in the responses.
Competing imperatives require concerted, coordinated effort in affected sectors
Speed and Notifications
In the proposed rules, CISA said two major elements drove its imperatives on the type of reporting required and how quickly CI entities must report. First, CISA prioritized its need to gather sufficient amounts of information in order to discern vectors, patterns, techniques, actors, etc. to quickly identify cybersecurity threats to CI. Second, CISA needed to rapidly analyze and share information aggregated from reporting in order to “achieve early visibility” to “increase the likelihood” that entities across the CI community would be able to address identified vulnerabilities and defend infrastructure.
Accuracy, Defensive Action, and Forensics
There is a perpetual dynamic in cybersecurity between an entity’s need to respond to a cybersecurity event and its need to verify and document the event for forensic and evidentiary purposes. CISA acknowledged this dynamic and attempted to incorporate provisions in the rules to cushion entities required to report during incident response. These included providing a 72-hour reporting window to enable limited discovery; and allowing reporting entities to submit a preliminary report which can be supplemented later when preliminary assessments are corrected as more facts are known.
Existing Frameworks, Inter-Agency Cooperation, and Regulatory Burdens
As Federal agencies’ primary missions differ, complementary mission overlaps occur, which drive high interagency cooperation -- but these cooperations tend to run in specific critical infrastructure corridors. Similarly, the OEM and Prime contractors and service industries supporting sector-specific Federal agencies cooperate and coordinate with designated Federal agencies via ISACs, informal industry cooperation, and voluntary reporting initiatives; these are also functionally grouped by infrastructure and mission. As CIRCIA moves from proposal to enforcement, its success will hinge on effective collaboration between CISA, covered CI entities, and other stakeholders.
CISA particularly acknowledged “multiple, potentially duplicative requirements” and emphasized its desire to “minimize” the compliance burden by conducting extensive Federal outreach, participating in DHS-led working groups, and other groups such as CIRC and the Cybersecurity Forum for Independent and Executive Branch Regulators. CISA in the proposed rules stated that it “actively” sought to harmonize Federal incident reporting (IR) requirements; and to identify how covered CI entities could establish and use the Substantially Similar reporting exception authorized under 6 USC 681b(a)(5)(B). CISA in its proposed rule specifically said it “welcomes all comments” on harmonizing CIRCIA’s cybersecurity incident reporting requirements with other Federal or State/Local/Tribal cybersecurity incident reporting reporting requirements. It further said it was “committed to exploring ways” to continue to harmonize CIRCIA reporting with other existing Federal reporting regimes.
With the above said, this continued commitment covers intra-Federal reporting, but may not yet fully address the reporting burden created by mandatory regimes of multiple cybersecurity frameworks such as those promulgated by the NIST for Federal reporting and for enforcement compliance by covered entities servicing other lines of Federal, State, Local or Tribal business (for example, those used as the basis for the Department of Energy’s NERC CIP regulations, or those used as the basis for the TSA’s oil and gas transport regulations).
Other regulatory burdens including competency
We include this due to the high number of small- and medium-sized businesses in all verticals that support critical infrastructure. CISA also noted that initial commenters called for ease of reporting to be inclusive of those CI entities with low competency in cybersecurity, and for it to emphasize in its rulemaking that reporting was not intended to be punitive but collaborative.
Reports to non-Federal entities and the public
CIRCIA, statutorily, requires CISA to share cyber-threat information with Federal entities; but it also requires CISA to publish quarterly, unclassified reports that are aggregated and anonymized with findings and recommendation – though this, in and of itself, could provide valuable OSINT to national adversaries. When CISA identifies “ongoing” threats or vulnerabilities, to the extent that the threat indicators can be anonymized, they will provide them with defensive measures to “appropriate stakeholders.” It is not known if this means that CISA views these “appropriate” stakeholders institutionally, functionally, or both.
Call to action and summary
Throughout the proposed rulemaking, CISA has consistently called for ongoing participation from the public and private sectors, with clear ‘asks’ throughout the proposed regulations for additional feedback during the comments period. This is a clear demonstration of benign intent, but it is an opportunity that the CI industry should not pass up, lest it be held to statutory regulation that unduly restricts industry, meets the letter but not the intent of the law, or creates un-sustainable reporting burdens. Another clear opportunity is that by fostering a culture of transparency and prompt reporting, CISA with CIRCIA is paving the way for a more resilient and secure digital future for the US. Yet the journey ahead requires sustained efforts to refine the proposal based on stakeholder feedback from all parts of critical infrastructure, and streamlining reporting processes, to ultimately leverage the power of shared information to counteract the evolving cyber threat landscape.
In future blogs, we will take a much deeper dive into “Substantially Similar” and FISMA exceptions; as well as ongoing analysis of CIRCIA and its relation to Federal and Tribal, Territorial, State, and Local (TTSL) cybersecurity mandates and efforts, such as the NREL’s RMUC program.
