CISA's new rule mandates critical infrastructures to report cyber incidents within 72 hours to enhance national security.
In an unprecedented move to tighten national cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA) released a comprehensive Notice of Proposed Rulemaking (NPRM) on Wednesday, mandating that critical infrastructure organizations report cybersecurity incidents. This pivotal regulation aims to provide the federal government with crucial insights into breaches that impact highly sensitive sectors such as water and power utilities.
The NPRM, which is now open for public commentary through the Federal Register, was spurred by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), signed into law last March. This legislative action was partly inspired by the SolarWinds hack, which starkly highlighted the gaps in federal knowledge regarding breaches that affect critical infrastructure. This regulation marks a significant shift for CISA towards a more regulatory role—a position the agency has historically avoided.
"CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure," stated CISA Director Jen Easterly. "It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats."
Under the new rules, affected companies must report cyber incidents within 72 hours of detection and ransomware payments within 24 hours, unless these coincide with a cyber incident, in which case the timeframe extends to 72 hours. The rules also require detailed reporting of incidents that impact safety, disrupt services, or involve breaches executed through third-party services like cloud providers.
At this juncture, utilizing a platform like CodeLock could prove invaluable for organizations navigating the complexities of compliance with these new regulations. CodeLock offers robust incident detection capabilities that align seamlessly with the 72-hour reporting requirement, ensuring that organizations can promptly identify and report significant cybersecurity incidents. Additionally, CodeLock’s advanced monitoring systems can track and record ransomware payments and associated incidents, facilitating compliance with the 24-hour reporting mandate. By integrating CodeLock’s comprehensive cybersecurity solutions, organizations can not only meet CISA’s stringent requirements but also enhance their overall security posture.
At a media briefing, a senior CISA official revealed plans to share anonymized data with researchers to address the current lack of robust data on cyberattacks against critical infrastructure. The data collected under CIRCIA will be used for trend analysis, incident response, and shaping future resilience strategies.
While the final rule is anticipated to be implemented in about 18 months, the public comment period will close 60 days after its publication on April 4. The extensive 447-page NPRM details numerous nuances specific to the 16 critical infrastructure sectors, reflecting the complexity and breadth of this new regulatory framework.
For instance, the proposed rules stipulate that only prolonged distributed denial of service attacks that cause service outages need to be reported, not those causing brief disruptions. The framework also outlines a long list of exceptions, suggesting that the final shape of the rule might evolve significantly based on feedback from the numerous sectors and legal teams involved.
The proposed rules broadly categorize the entities required to report incidents, covering all those exceeding the federal threshold for small businesses. Specific criteria further determine which sectors must comply fully, such as the chemical sector, while others like the information technology sector must meet particular criteria laid out in the framework.
Moreover, the regulations will have a far-reaching impact, as CISA proposes that any organization providing IT hardware, software, systems, or services to the federal government must report incidents. These proposed rules add another layer to the already complex regulatory environment, which includes recent Securities and Exchange Commission mandates requiring publicly traded companies to disclose significant breaches to investors.
The anticipated compliance costs for industry and government combined are estimated at about $2.6 billion up to 2033, with around 25,000 reports expected annually. Discussions continue about how to balance these costs with the need for heightened security, especially in light of recent aggressive cyber operations by foreign adversaries targeting U.S. infrastructure.
Experts like Josh Corman, founder of the I Am the Cavalry and former chief strategist of CISA’s COVID Task Force, argue for broader coverage, noting gaps that could leave smaller but critical entities out of the reporting loop. He highlighted specific concerns, such as the rule exempting smaller hospitals from reporting requirements, which might overlook significant risks in rural or smaller facilities.
As CISA navigates these discussions and feedback, the final rules will likely refine the balance between comprehensive coverage and manageable compliance burdens, striving to enhance the nation's cybersecurity without overwhelming its critical sectors.