Skip to content

Critical Infrastructure Entities Take Note: Mandatory Cyber Incident Reporting Looms

Author: Leticia Lambourne, Security Consultant

June 4, 2024

Big changes are coming for critical infrastructure entities. The Cybersecurity and Infrastructure Security Agency (CISA) has just published proposed regulations under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that will mandate cyber incident reporting. These new reporting requirements could have a significant impact on your organization.

What do you need to know to comply? Below we provide the key points for understanding the upcoming obligations under the impending Rule.

Who Must Report?

CIRCIA applies to a wide spectrum of organizations designated as “Covered Entities,” including:

  • Chemical facilities
  • Communication service providers
  • Critical manufacturers
  • Defense contractors
  • Emergency service providers
  • Energy sector entities
  • Financial institutions
  • Large government entities
  • Educational institutions
  • Election technology providers
  • Healthcare providers
  • IT vendors to the government
  • Nuclear facilities
  • Transportation systems
  • Maritime facilities
  • Water and wastewater systems
  • Commercial facilities
  • Dams
  • Food and agriculture entities
  • Any entity in a critical infrastructure sector that exceeds the small business size standard established by the Small Business Administration (SBA) for its industry.

This infographic published by CISA outlines the key criteria for determining CIRCIA applicability within each covered sector.

What Needs to be Reported?

A “Covered Cyber Incident,”  defined as an event with any of the following impacts, must be reported to CISA within 72 hours of identification:

  • Significant data loss or system disruption
  • Compromised operational systems or processes
  • Disruption of core business functions
  • Unauthorized access facilitated by third-party compromise.

Ransom Payments must be reported to CISA within 24 hours of disbursement. A “Ransom Payment” is defined as the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which is delivered in connection with a ransomware attack.

Additionally, Covered Entities must promptly submit supplemental reports to CISA under two conditions: 1) substantial new or different information regarding a previously reported cyber incident arises; or 2) a ransom payment is made concerning a previously reported incident.

CIRCIA reports will require detailed information, such as:

  • Incident description and impacts
  • Exploited vulnerabilities
  • Attacker tactics, techniques, and procedures (TTPs)
  • Indicators of compromise (IOCs)
  • Perpetrator information (if available)
  • Mitigation and response activities
  • Ransom demand and payment details (for ransomware attacks)

How to Report?

Reports will be submitted through a web-based form or another CISA-approved method, using one standardized form for all incident types. Third-party reporting is permitted, without restrictions on the third party’s qualifications.

What Evidence Must be Preserved?

Covered Entities must preserve specific data and records related to the incident or ransom payment for two years after submitting the final CIRCIA report. This includes:

  • IOCs and relevant log entries
  • Forensic artifacts (memory captures, forensic images, relevant network data, system information, etc.)
  • All communications with the threat actor.

What Does This Mean to You?

Healthcare

Healthcare already has breach notification requirements within HIPAA, but CIRCIA will expand upon those requirements and require a much tighter reporting timeframe.

  • Expanded Reporting Requirements: HIPAA is focused primarily on data breaches involving Protected Health Information (PHI). CIRCIA will require reporting of all significant cyber incidents, even if no PHI or patient data is breached.
  • Faster Reporting Timeframes: HIPAA notification timelines vary between 1 to 60 days. CIRCIA mandates reporting within 72 hours, with a much tighter 24-hour window for reporting ransomware payments.
  • Reporting to a Different Authority: HIPAA requires breaches to be reported to the Department of Health and Human Services. CIRCIA will require reporting of cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA).

Defense

  • New Reporting Requirements: CMMC focuses on implementing strong cybersecurity practices but does not mandate reporting of all cyber incidents. CIRCIA will require reporting significant cyber incidents to CISA regardless of CMMC level. This includes incidents that may not directly impact a DoD contract.
  • Integration with Existing Processes: Companies will need to integrate CIRCIA reporting requirements with their existing cybersecurity protocols and CMMC compliance procedures.
  • Workforce Training: Employees may need additional training to identify reportable incidents and understand the appropriate response protocols under CIRCIA.

Utilities

The impact of CIRCIA on utilities will likely depend on the size and existing cybersecurity culture of the utility. For smaller facilities, the additional workload and reporting requirements could be significant.

  • Increased Awareness on Incident Detection and Reporting: Facility operators will need to be more vigilant in detecting cyber incidents and understanding what constitutes a “covered incident” reportable to CISA under CIRCIA. This might involve additional training or updated protocols.
  • Meeting Tight Reporting Deadlines: The 72-hour window for reporting significant incidents and the 24-hour window for ransomware payments will put pressure on facility operators to act quickly and decisively in the event of a cyberattack. This will require clear communication protocols and well-defined response procedures.
  • Documentation and Record Keeping: Facility operators will be responsible for documenting the details of cyber incidents and preserving relevant data for up to two years after submitting a report to CISA.

Prepare Now for Compliance

The CIRCIA Notice of Proposed Rulemaking (NPRM) is open for public comment until June 3, 2024, with a published Final Rule expected within 18 months, after which the rule will take effect. The NPRM and instructions for submitting comments are available online.

Summit Security Group can assist you in developing robust incident response plans to ensure seamless compliance with the upcoming CIRCIA regulations. Proactive measures now will minimize disruption and ensure timely reporting and proper evidence retention in the event of a cyber incident.

 

Share This Post

Related Articles

Business can not wait

Web developers, it is time to add another item to your security checklist: mutation cross-site...

Navigating the Muddy Waters of CMMC

The adage “trust but verify” is a principle that emphasizes the importance of verifying the...

Hands of robot and human touching virtual AI brain data creative in light bulb. Innovation futuristic science and artificial intelligence digital technology global network connection.

The adoption of Large Language Models (LLMs) has increased at an alarming rate ever since...