As we near the end of another year, it is time to look ahead to developments in the information security and privacy landscape. One area of particular importance is the development of regulations implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

CIRCIA, which was signed into law in March 2022 as Division Y of the Consolidated Appropriations Act, 2022, will require, among other things, “covered entities” to report “covered cyber incidents” to the Cybersecurity and Infrastructure Security Agency “not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.” CIRCIA will also require covered entities to report to CISA ransom payments “not later than 24 hours after the ransom payment has been made.” As explained below, the reporting requirements are not yet in effect.

Before the reporting requirements go into effect, CISA must issue regulations defining some of the applicable terms, notably “covered entity” and “covered cyber incident.” Although additional clarification will be provided, the law does note that a covered entity must be an entity within a critical infrastructure sector and that a covered cyber incident “means a substantial cyber incident experienced by a covered entity[.]” CISA is required to publish a Notice of Proposed Rulemaking (proposed regulations) by March 2024. The proposed regulations will be open for public comment before final regulations are issued.

Although it will be a while before final regulations go into effect, it is not too early for organizations to prepare. Some organizations – especially those in specific sectors like the Healthcare and Public Health Sector, are already subject to federal incident reporting. However, CIRCIA requires CISA to establish and chair an intergovernmental cyber incident reporting council. This council is intended to coordinate, deconflict, and harmonize federal incident reporting requirements. If this council is successful in its mission, the result could be a lessened administrative burden on reporting, and increased coordination and response from the federal government.

Given the likely impact of these rules and regulations, we will continue to monitor developments. We also recommend that potential covered entities watch for the proposed regulations and, if comfortable doing so, submit comments. Organizations should also continue to review and update their incident response and notification plans consistent with the development of the regulations, as well as with other legislative and regulatory changes.