President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law in March 2022 in the United States. The enactment of this law requires the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations mandating covered entities to report covered cyber incidents and ransomware payments to CISA within 24 months of the law passing. This law grants CISA its first-ever enforcement powers and is a significant step in enhancing cybersecurity measures in the country.

The new law aims to enhance cybersecurity measures in critical infrastructure sectors by ensuring that organizations report any cyber incident promptly. Covered entities in various critical infrastructure sectors defined by Presidential Policy Directive 211 will be affected by this legislation. Sectors such as Energy, Financial Services, Healthcare, and Transportation will be required to comply with the reporting requirements outlined in the law.

Under the legislation, covered entities are encouraged to voluntarily share cyber incident information with CISA until the Final Rule implementing CIRCIA’s reporting requirements goes into effect in 2025. Once the Final Rule is in place, covered entities will be required to report a covered cyber incident within 72 hours and report a ransomware payment within 24 hours of the transaction. The organizations will also need to provide updates on previously submitted reports if new information becomes available.

The definition of a covered cyber incident is expected to include various criteria such as substantial loss of confidentiality, integrity, or availability of information systems, disruption of business or industrial operations due to cyber attacks, unauthorized access, and disruption of business operations facilitated by compromise of third-party service providers. The legislation will also consider the sophistication of tactics used in cyber incidents and the potential impact on industrial control systems.

When reporting a cyber incident, covered entities should be prepared to provide details such as the incident date and time, location, type of observed activity, number of people or systems affected, severity of the event, and other relevant information. Third parties such as incident response companies, insurance providers, and law firms may be allowed to submit reports on behalf of impacted organizations.

If an affected entity fails to comply with reporting requirements, the Director of CISA may issue a subpoena to compel disclosure of necessary information. However, CIRCIA reports are expected to be considered confidential and exempt from disclosure under certain provisions to protect the commercial, financial, and proprietary information of the reporting entity.

In conclusion, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a crucial step towards enhancing cybersecurity measures in the United States. By mandating covered entities to report cyber incidents promptly, the law aims to improve the overall security posture of critical infrastructure sectors and protect against cyber threats and attacks. Organizations in these sectors should prepare to comply with the reporting requirements outlined in the legislation to ensure the safety and resilience of their operations.

Source link