The (CIRCIA), signed into law by President Biden in March 2022 as part of the Consolidated Appropriations Act of 2022, will require companies operating in critical infrastructure sectors to report covered cyber incidents within 72 hours of the companies' reasonable belief that a cyber incident has occurred and report ransom payments within 24 hours after a payment is made.
Critical infrastructure sectors, which were defined in a 2013 presidential policy directive by President Obama, include financial services, telecommunications, information technology, healthcare, energy, and others. These new incident reporting requirements for critical infrastructure are among several sector-specific federal incident reporting requirements promulgated in the last year, and several other such requirements are under consideration. CIRCIA was enacted following years of debate about the need for mandatory incident reporting for critical infrastructure.
The CIRCIA reporting requirements have garnered significant attention in the press and among those in critical infrastructure sectors, but they may not go into effect for several years. CIRCIA requires the director of the Cybersecurity & Infrastructure Security Agency (CISA) to publish proposed rules implementing the reporting requirements within 24 months of CIRCIA's enactment, or by no later than March 2024. Final rules must be published within 18 months of the proposed rules, or by no later than September 2025.
The reporting requirements will not go into effect at least until the final implementing rules are in place, and CISA must prescribe the effective date for those requirements in its rules. To be clear, CIRCIA only sets forth deadlines for implementation of the rules—CISA may choose to develop its rules more quickly than is required.
CIRCIA leaves many crucial details of the law to CISA rulemaking. For example, using parameters set forth in the statute, CISA must promulgate definitions of the key terms "covered entity" and "covered cyber incident," the required contents of notifications, and covered entities' obligations to preserve data about covered cyber incidents and to provide supplemental reports.
While much of the discussion on CIRCIA has focused on the Reporting Requirements, the law also includes significant legal protections for information provided in cyber incident and ransom payment reports—including those submitted voluntarily—and provides for limited CISA enforcement powers.
Cyber Incident Reporting Requirements
CIRCIA has two reporting requirements—one for "covered cyber incidents," and one for "ransom payments."
Covered Cyber Incidents
A covered entity that experiences a covered cyber incident will be required to report the incident to the Department of Homeland Security (DHS) and CISA (an agency within DHS) by not later than 72 hours after the covered entity "reasonably believes that the covered cyber incident has occurred."
- There has been considerable debate in Congress about both the reporting deadline and the point at which that deadline should begin to run. In a bill introduced in the Senate in July 2021 (S. 2407), covered entities would have had to report within 24 hours of confirming a "cybersecurity intrusion" or "potential cybersecurity intrusion" (emphasis added). A competing bill from the House (H.B. 5440) limited covered cyber incidents to enumerated types of confirmed incidents and required notification within 72 hours of confirming that the incident had occurred.
- Incorporating language from another Senate bill introduced in October 2022 (S. 2875), CIRCIA takes something of a middle ground by requiring notification within 72 hours and starting the notification deadline upon a reasonable belief that an incident has occurred. The question of precisely when the notification deadline begins to run likely will be a significant area of contention during the CISA rulemaking process.
A covered entity that makes a ransom payment as the result of a ransomware attack against the covered entity will be required to report that payment to DHS and CISA not later than 24 hours after making the payment.
- Notably, CIRCIA limits this reporting requirement to payments made as the result of ransomware against the covered entity. This means that covered entities will not be required to report ransom payments made in response to other types of cyber extortion (for example, if an attacker downloaded data from an unsecured cloud account and demanded payment not to publish the data, such a payment would not be reportable under CIRCIA).
- CIRCIA states that a ransom payment may trigger this notification requirement even if the ransomware attack from which it arises is not a covered cyber incident. For example, a ransomware attack that affects only a small portion of a company's network might not meet the statutory requirement that a covered security incident be a "significant" cyber incident. If the victim company were to pay a ransom, the ransom payment, but not the incident itself, might be reportable under the Reporting Requirements.
Key Provisions for CISA Rulemaking
For several key requirements, CIRCIA establishes general parameters while delegating the specifics to CISA rulemaking. Among the most important details to be determined by CISA are:
Definition of "Covered Entity"
CIRCIA defines a covered entity as an entity in one of the 16 critical infrastructure sectors defined in Presidential Policy Directive 21 (PPD-21)1 that satisfies the definition set forth in CISA rulemaking. CIRCIA requires CISA to base its definition of covered entity on:
- (A) The consequences disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
- (B) The likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
- (C) The extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
Definition of "Covered Cyber Incident"
CIRCIA defines a covered cyber incident as a "substantial cyber incident" experienced by a covered entity that satisfies the definition set forth in CISA rulemaking. The law defines a "cyber incident" as "an occurrence that actually … jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually … jeopardizes, without lawful authority, an information system."2
CIRCIA sets forth the following minimum requirements for a covered cyber incident as defined by CISA:
- (i) "Cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
- (ii) A disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against
- I. An information system or network; or II. An operational technology system or process; or
- (iii) Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise."
CIRCIA also requires that CISA consider several elements in defining covered cyber incidents, including the sophistication or novelty of tactics used by the attacker, the number of individuals impacted, and the potential for harm to industrial control systems.
Contents of Notifications
CISA also will need to define the required contents of notifications of both covered cyber incidents and ransom payments. Again, CIRCIA sets out the parameters, stating that the notifications must include information such as a description of the incident, identification and description of affected systems, an assessment of the incident's impact to data and information systems, the vulnerabilities that were exploited and the tactics, techniques and procedures (TTPs) used by the attackers, the amount and date of a ransom payment, and payment instructions (including any virtual wallet address).
Data Preservation Requirements
CIRCIA requires that covered entities preserve data related to the covered cyber incidents or ransom payments that they report under the law. But the statute delegates to CISA important issues like the types of data to be preserved and the retention period for such data.
CIRCIA requires that covered entities, after making an initial report of a covered cyber incident or ransom payment, "promptly" submit supplemental reports to DHS and CISA "if substantial new or different information becomes available or if the covered entity makes a ransom payment after submitting a covered cyber incident report…"
Covered entities are obligated to make such supplemental reports until they notify DHS and CISA that the covered cyber event at issue "has been fully mitigated and resolved." CISA is charged with setting deadlines and criteria for submitting supplemental reports, and its rulemaking must (among other things) "provide a clear description of what constitutes substantial new or different information" that would require a supplemental report.
The supplemental reporting requirement has received relatively little attention since CIRCIA was enacted, but it could be quite burdensome depending on how it is implemented through CISA rulemaking. New information can arise very quickly, and key facts may change several times during the course of an incident investigation; covered entities may be required to submit numerous supplemental reports to DHS and CISA throughout an incident response process.
CIRCIA states that the reporting requirements will go into effect on the dates set forth in CISA rulemaking. This means that no reporting requirements can take effect at least until CISA finalizes its implementing rules.
Protections for Reporting Entities
CIRCIA provides substantial protections for entities that report cyber incidents or ransom payments to DHS and CISA—whether they do so under a statutory requirement or voluntarily. Specifically:
- The government may only use information it receives under CIRCIA for specific purposes, including identifying and responding to cyber threats and threats of other serious harm (threats of death, serious bodily harm, serious economic harm, or sexual exploitation of a child).
- Information shared by DHS and CISA from reports of covered cyber incidents or ransom payments shall be anonymized so as not to identify the victim.
- Information may not be used in any federal, state, local, or tribal enforcement proceeding against the covered entity.
- Reported information shall "be considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity."
- Reports are exempt from disclosure under the Freedom of Information Act (FOIA).
- Providing the information to the government shall not be considered a waiver of the attorney-client privilege or other applicable discovery protections, or of trade secret protection.
- No cause of action shall lie in any court for the submission of information under CIRCIA.
- No report submitted under CIRCIA, or any communication or material prepared for the sole purpose of preparing, drafting or submitting a report, may be received in evidence, subject to discovery or otherwise or otherwise used in any legal proceeding.
CIRCIA states explicitly that it does not change any of the rights or obligations that providers of electronic communications services have under the Stored Communications Act (SCA), 18 U.S.C. § 2701, et seq. Accordingly, such providers must continue to refer to the SCA to determine when and how they are permitted or required to disclose subscriber information, transactional data, or communications content to governmental entities.
CISA's (Limited) Enforcement Powers
CIRCIA endows CISA with the agency's first-ever enforcement powers. While the role of enforcer will be a new one for CISA—the agency has worked hard to position itself as a partner of privacy sector critical infrastructure companies, rather than as a regulator—its enforcement powers are limited.
If CISA has reason to believe that a company was required to notify of a covered cyber incident or ransom payment under CIRCIA but failed to do so, the agency may request additional information from that company to determine whether such an incident or payment occurred. Notably, information submitted by the company during this process is entitled to the protections listed above, even though the company failed to make the required notifications.
If the company fails to respond to CISA's request for information with 72 hours, CISA may issue a subpoena to compel a response. If the company fails to comply with the subpoena, CISA may refer the matter to the Department of Justice for civil action, potentially including contempt of court proceedings.
Coordination With Other Federal Cyber Reporting Requirements
The CIRCIA Reporting Requirements are among several new and proposed cyber incident reporting rules at the federal level. For example, the Federal Reserve, Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) recently promulgated a 36-hour notification requirement for certain "computer-security incidents" experienced by banking organizations and their service providers. That rule went into effect in April 2022.
In January 2022, the Federal Communications Commission (FCC) announced that its commissioners were discussing a proposed rule to require covered entities to notify the FCC of breaches of customer proprietary network information (CPNI).3 In 2021, the Transportation Security Administration (TSA) issued directives to several types of critical infrastructure operators, including freight and passenger railroad operators, airports and airlines,4 and critical pipelines requiring notification of cyber incidents to CISA.
This proliferation of federal cyber incident reporting requirements—on top of state law data breach notification requirements—has prompted concerns that companies may struggle to navigate multiple overlapping requirements from different agencies. CIRCIA may partially address these concerns by excusing a covered entity from the Reporting Requirements where the covered entity is "required by law, regulation, or contract to report substantially similar information to another Federal agency within a substantially similar timeframe," provided that CISA has entered into an information-sharing agreement with that other federal agency.
How much overlap this provision of CIRCIA actually prevents is yet to be seen. Different reporting requirements apply to different types of incidents and data—for example, the proposed FCC reporting requirements apparently would be limited to breaches of CPNI, whereas CIRCIA would apply to incidents causing significant business interruptions even without a data breach—so it is easy to foresee companies needing to navigate several federal reporting requirements at once.
Many of the key details of CIRCIA's Reporting Requirements have been delegated to CISA rulemaking, including the effective date for the reporting requirements. Although CISA has two years to propose implementing rules, it is possible that a proposal could come much sooner.
A March 2022 staff report from the Senate Homeland Security and Governmental Affairs Committee encourages CISA to work quickly to implement CIRCIA, and CISA is likely to face constant pressure to issue rules in the face of the ongoing ransomware epidemic, cyber threats from Russia in connection with its invasion of Ukraine, and other cybersecurity risks.