CISA releases landmark cyber incident reporting proposal
Due to ongoing cyberattacks and threats, critical infrastructure organizations have been on high alert. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a draft of landmark regulation outlining how organizations will be required to report cyber incidents to the federal government.
The 447-page Notice of Proposed Rulemaking (NPRM) has been released and is open for public feedback through the Federal Register. CISA was required to develop this report by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). With this new document, CISA aims to enhance the government’s capacity to monitor incidents and ransomware payments.
CIRCIA was largely inspired by major attacks, such as those involving SolarWinds, a Microsoft Exchange Server and Colonial Pipeline. Now, even companies with robust cyber resilience are concerned. These incidents made it clear that the severity of infrastructure attacks was growing, which jolted the government into action.
CIRCIA rules and requirements
Before CIRCIA, Congress stated that “no one U.S. Government agency has visibility into all cyberattacks occurring against U.S. critical infrastructure on a daily basis.” CIRCIA intends to enable a coordinated, informed U.S. response to the foreign governments and criminal organizations conducting these attacks.
According to the newly released NPRM, covered critical infrastructure organizations are required to report incidents within 72 hours after an entity believes a cyberattack has occurred. Ransomware payments must be reported within 24 hours of being made. However, if payment is accompanied by an incident, the organization has 72 hours to comply with reporting.
The newly proposed guidelines state that a covered entity must report any and all ransom payments — even if the incident is not a covered cyber incident. Additionally, the new rules require a covered entity to report a ransom payment even if a third party makes the payment.
Learn more about incident response
What is a covered entity?
In general, CISA determines that covered entities are part of the 16 critical infrastructure sectors, which include:
- Chemical Sector
- Commercial Facilities Sector
- Communications Sector
- Critical Manufacturing Sector
- Dams Sector
- Defense Industrial Base Sector
- Emergency Services Sector
- Energy Sector
- Financial Services Sector
- Food and Agriculture Sector
- Government Facilities Sector
- Healthcare and Public Health Sector
- Information Technology Sector
- Nuclear Reactors, Materials and Waste Sector
- Transportation Systems Sector
- Water and Wastewater Sector
Furthermore, CISA is proposing that covered entities exceed the U.S. Small Business Administration’s (SBA) small business size standard based on either the number of employees or annual revenue, depending on the industry.
What is a covered incident?
As per the NPRM, a covered incident is a substantial incident that involves a covered entity. CISA is proposing four types of impacts that would result in the incident being classified as a substantial cyber incident and, therefore, reportable. The four types of impact include:
- Impact 1: Substantial Loss of Confidentiality, Integrity or Availability
- Impact 2: Serious Impact on Safety and Resiliency of Operational Systems and Processes
- Impact 3: Disruption of Ability to Engage in Business or Industrial Operations
- Impact 4: Unauthorized Access Facilitated Through or Caused by a: (1) Compromise of a CSP, Managed Service Provider or Other Third-Party Data Hosting Provider, or (2) Supply Chain Compromise
NPRM open for discussion
Following the release of the NPRM, it’s now up to stakeholders across the critical infrastructure sectors to make comments. Are the rules too complex? What happens to substantial incidents in smaller entities? Will resources diverted to compliance requirements have a clear security benefit? These questions remain to be answered before the rules get put into action.
More from News
April 8, 2024
Recent developments and updates in Biden cyber policy
3 min read – The White House recently released its budget for the 2025 fiscal year, which supports the government’s commitment to cybersecurity. The cybersecurity funding allocations line up with the FY 2025 cybersecurity spending priorities released last year that included the following pillars: Defend critical infrastructure Disrupt and dismantle threat actors Shape market forces to drive security and resilience Invest in a resilient future Forge international partnerships to pursue shared goals. In 2023, the White House released a 35-page document detailing the new…
April 1, 2024
Change Healthcare cyberattack causes dire billing crisis
3 min read – Last month’s cyberattack on Change Healthcare, a sizable unit of UnitedHealth Group, brought new repercussions rarely seen in a cyberattack. As a result of the threat actor’s actions, healthcare systems and providers suffered cash flow issues, which resulted in providers being unable to pay their rent, owners dipping into their personal savings and patients being prevented from receiving important medications. Most importantly, patients are unable to get insurance approval for procedures, surgeries and prescriptions, which can affect their health outcomes.…
March 25, 2024
Can memory-safe programming languages kill 70% of security bugs?
3 min read – The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software.” The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages. This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a…
Topic updates
Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
This post was originally published on the 3rd party site mentioned in the title of this this site