On Tuesday, March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law. The law, which was passed by Congress on March 10, constitutes the most comprehensive regulation of cybersecurity infrastructure yet. Under the Act, covered entities are required to report certain cyber incidents and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA).
Currently, a “covered entity” under the Act is an entity in a critical infrastructure sector pursuant to Presidential Policy Directive 21 (PPD-21). PPD-21 determined that 16 sectors were so vital to the US that their incapacitation would have critical effects on the health, safety, and security of the nation. The critical infrastructure sectors include, but are not limited to, the communications sector, the emergency services sector, and the information technology sector.
Covered entities must report qualifying “cyber incidents” to CISA within 72 hours of the discovering the incident or what the entity reasonably believes is a covered incident under the Act. A covered incident is “a substantial cyber incident” that actually or imminently compromises the integrity, confidentiality or availability of information on an information system. If the incident does not actually jeopardize information systems, it is not included under the Act.
Additionally, covered entities must report ransom payments made to malicious actors within 24 hours of payment regardless of whether the underlying attack would be considered a reportable cyber incident under the Act. “Ransom payments” are transmissions of money or other assets delivered in connection with a ransomware attack.
Prior to the passage of the Act, certain entities were already required to report malicious cyber activity to federal regulators. The Act stipulates that if a covered entity is already obligated by another provision to report to another federal agency information that is “substantially similar” to the information that must be reported under the Act within a similar timeframe, the entity need not report to CISA if the other agency has an information sharing mechanism in place with CISA.
All information reported to CISA is confidential aside from use during threat and vulnerability identification and investigating and prosecuting the reported cyberattack offenses. Covered entities also receive immunity from liability in suits brought by private parties based on the entity’s disclosure.
Should a covered entity fail to comply with the requirements under this Act, CISA may directly request the information from the entity. Failure to respond to this request will result in a subpoena from CISA. If the entity does not respond to the subpoena, CISA may refer the matter to the Attorney General for enforcement.
Finally, the Act directs CISA to create supplemental rules to implement the Act. The supplemental rules should include the following:
- The types of critical infrastructure entities that constitute “covered entities,” including an entity’s susceptibility to cyberattacks and why it is subject to the Act’s reporting requirements;
- Which cyber incidents are subject to the Act’s reporting requirements; and
- The required elements of a cyber incident or ransomware payment report under the law.
As the Act and its accompanying rules take effect, companies should consider whether they are a “covered entity” under the Act. If they are likely to be governed by the Act, they should think about how to bring their operations into compliance. If you have questions about how the Act may impact your company, please reach out to Linda McReynolds at firstname.lastname@example.org or (703) 714-1318.