The recent closure of the public comment period for the U.S. Cybersecurity and Infrastructure Security Agency’s Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) has brought significant attention to the potential impact of the proposed reporting rules. These rules, if enacted, have the potential to drive greater transparency, accountability, and improvements in cyber readiness and resilience across all critical infrastructure sectors in the United States.
The proposed rules under CIRCIA demand timely reporting of ransomware payments to CISA within 24 hours and all covered cyber incidents within 72 hours. These rules apply to a wide range of entities across 16 critical infrastructure sectors, including energy, water, transportation, healthcare, and financial services. The potential regulatory burden of these rules is not insignificant, with an estimated 316,000 entities affected and an expected cost of $2.6 billion for compliance, data preservation, and reporting expenses.
The focus on critical infrastructure in the CIRCIA rules is well-founded, given the evidence of nation-state threat actors targeting and attempting to compromise key systems within the U.S. and allied critical infrastructure sectors. The Volt Typhoon revelations in recent months have underscored the urgent need for improved visibility and situational awareness to detect, contain, and recover from potential cyber attacks on critical infrastructure.
For Chief Information Security Officers (CISOs), the introduction of CIRCIA represents both a challenge and an opportunity. While compliance with the reporting rules may require significant adjustments in reporting processes and timelines, it also presents a chance to strengthen cybersecurity postures, develop proactive security measures, and engage in robust incident response planning. The potential benefits of increased reporting under CIRCIA include better preparation for cyber threats through breach and attack simulations that can leverage a wider range of threat intelligence data.
To effectively prepare for CIRCIA reporting requirements and future regulatory assessments, CISOs should collaborate with legal, risk management, and security teams to assess cybersecurity postures and implement robust detection, simulation, and reporting mechanisms. Additionally, the adoption of breach and attack simulation (BAS) solutions can significantly enhance organizations’ readiness to comply with the rules, as well as proactively prepare for potential cyber threats and regulatory audits.
BAS solutions, by simulating real-world attacks based on known cyber adversary tactics and techniques, can help organizations identify security control gaps, validate the performance of their security tools, and optimize incident response workflows. By continuously updating attack simulations with the latest threat intelligence data, BAS platforms can provide organizations with a proactive approach to cybersecurity that aligns with sector-specific threats and regulatory requirements.
In the face of rising accountability in the cybersecurity landscape, driven by government regulations, legal liabilities, and insurance costs related to cyber threats, organizations must prioritize cyber defense preparedness. The combination of comprehensive breach and attack simulation programs and adherence to CIRCIA reporting requirements can empower organizations to enhance their cybersecurity posture, mitigate risks, and effectively report on their cyber readiness efforts to stakeholders.
As the cybersecurity landscape continues to evolve, organizations that proactively invest in threat detection, incident response, and compliance measures will be better positioned to navigate the complex cybersecurity environment and protect critical infrastructure systems from emerging cyber threats. With a strategic focus on compliance, risk management, and cyber defense, organizations can build resilience and readiness to confront the challenges posed by cyber attacks and regulatory requirements.