Attacks on critical infrastructure are on the rise. That’s why the U.S. Congress passed the Cyber Incident Reporting for Critical Infrasturcture Act (CIRCIA). Now, a major compliance deadline is coming due.
What’s going on? Read on to find out.
What is the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)?
For those who don’t know, CIRCIA is a major piece of legislation targeted at the critical infrastructure sector.
Introduced by the U.S. Congress in 2021 and signed into law the year after, CIRCIA requires certain critical infrastructure entities to report their cybersecurity and ransomware incidents to the Cybersecurity and Infrastructure Security Agency (CISA), an agency within the Department of Homeland Security (DHS).
Timeline of the Cyber Incident Reporting for Critical Infrastructure Act
At least, that’s what we know so far.
Although Congress is responsible for passing legislation, many times the responsibility for subsequent rulemaking gets farmed out to an executive-branch agency that specializes in the area in question.
CIRCIA is one such case. Congress delegated rulemaking responsibilities to CISA. The agency must, therefore, develop and issue detailed rules and regulations for critical infrastructure entities which align with the intent of the law.
What’s been going on?
Following the law’s passage, CISA opened a public comment period, soliciting feedback from other federal departments and agencies as well as private-sector organizations. That public comment period ended in April 2024.
After that date, Congress gave CISA 18 months to issue the Final Rule and declare associated regulations effective. For critical infrastructure organizations, this means new regulations can go into effect as late as October 2025, or as early as any date between then and now.
How can critical infrastructure organizations prepare?
Although final rules have yet to be hammered out, critical infrastructure organizations can still prepare to comply. How so? Well, CIRCIA, as the name implies, compels covered entities – those to whom the law will apply – to report cyber incidents and ransomware attacks.
We have a good idea of who covered entities will be. But even though specifications haven’t been finalized, organizations in the sector should still prepare to comply with the following proposed reporting requirements:
For cyber incidents:
- Covered entities must report any covered cyber incidents to CISA within 72 hours from the time the entity believes the incident occurred.
- Any federal entity — department, agency, or the like — that receives a cyber incident report must share it with CISA within 24 hours.
- Likewise, CISA must make any information it receives in such a manner about a covered cyber incident available to specific federal agencies, which will be listed in the Final Rule, within 24 hours.
- DHS must establish and chair a Cyber Incident Reporting Council, which is tasked with coordinating the effective completion of all federal incident reporting requirements across all agencies.
For ransomware incidents:
- Covered entities must report to CISA within 24 hours of the time a ransom payment has been made as the result of a covered ransomware incident.
- Likewise, CISA must make any information it receives in such a manner about a covered ransomware incident available to specific federal agencies, which will be listed in the Final Rule, within 24 hours.
- CISA must establish a Ransomware Vulnerability Warning Pilot Program, which will identify systems it determines to be vulnerable to ransomware attacks, and may issue notifications to those systems’ owners.
Finally, attacks on critical infrastructure are on the sharp uptick. So too are compliance obligations for the critical infrastructure industry, with legislation like CIRCIA obligating entities in the sector to notify CISA when they’ve been victims of security incidents.
While CISA finishes rulemaking, these organizations can take a step toward compliance by seeking out security management software to help ensure updates are shared with the regulator in a timely manner to meet reporting obligations.
What other digital capabilities can help critical infrastructure organizations work together to anticipate and manage threats, conduct preparedness activities, effectively respond to disruptions, and continually learn from insights to strengthen resilience to comply with CIRCIA? Check out our Buyer’s Guide to Critical Infrastructure Protection Software to find out.
.svg)
.svg)
.svg)