The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will, when implemented, require critical infrastructure entities to inform the federal government when they suffer a significant cyber incident or pay ransomware extortion.
CIRCIA is intended to “help preserve national security, economic security, and public health and safety,” the Cybersecurity and Infrastructure Security Agency (CISA) said in its 447-page initial Notice of Proposed Rulemaking, which was published Wednesday.
The goal is to help the federal government better analyze threat trends and identify tactics, techniques and procedures. CISA could also more quickly both warn potential victims and assist others. In addition, new insights could help software developers make safer products.
CIRCIA could also pave the way for stronger policy responses. Cybersecurity experts have said the U.S. needs more ransomware incident reporting to better understand threats and to make informed decisions.
The draft will get an update, with CISA slated to publish an official version on April 4. Stakeholders will have 60 days to submit feedback at http://www.regulations.gov. The final rule is expected 18 months later.
All told, CIRCIA is expected to require reporting from 316,244 entities, per the agency.
But the notice identifies key areas of debate that emerged as CISA developed the draft rule, as well as CISA’s proposed approach and reasoning.
States making their own cybersecurity reporting laws have debated how promptly to require disclosure. CIRCIA gives an entity 72 hours to report a qualifying cyber incident. Entities also have 24 hours to report after they pay ransomware extortion, or a third party does so on their behalf. The goal is to get information quickly enough that CISA can analyze details to alert other targets in time, but slow enough to avoid disrupting initial response efforts or accuracy of reporting. Under the proposal, organizations would submit updated and additional information later, as they learn more about incidents.
Much debate has also gone into how to define the type of entities and incidents this covers.
Some stakeholders warned CISA that requiring too many entities and too many kinds of incidents could overwhelm the agency. But CISA concluded that improved data management tools and procedures can handle a lot of information.
Some stakeholders also stressed making a user-friendly reporting process, which CISA aims to do via a web form. CISA also aims to provide safeguards around information in reports, including exempting them from public record requests and ensuring entities are civilly liable based on information they report.
CISA also aims to reduce duplication. For example, proposing a CIRCIA exception for organizations that already provide very similar reporting on similar timelines to another federal entity.
CISA estimates that implementing the rule will cost the public and private sector a combined $2.6 billion from 2023 through 2033. Those expenses include technology and personnel government needs for receiving, analyzing and sharing reported information, along with private entity costs associated with learning about and complying with the requirements.
Still, these are rough estimates made with uncertainty because they work around big knowledge gaps. For example, CISA doesn’t know how many reports to expect, among other details.
