For just shy of a decade, the Defense Industrial Base (DIB) has had to operate under rules dictating the safeguarding of Controlled Unclassified Information, along with a strict 72-hour notification requirement if/when/should a “cyber incident” occur. For the uninitiated, these are the requirements found in the Department of Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. And for a large swath of government contractors, these requirements have been more bane than benefit, as many have struggled to meet the DFARS’ stringent requirements.

Well, critical infrastructure industry, welcome to the party! Soon, companies involved in all sectors of critical infrastructure will need to comply with new federal reporting requirements for cybersecurity incidents and ransom payments after President Joe Biden signed The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act) into law on March 15, 2022. Tied to an omnibus appropriations package, the Act requires entities involved in critical infrastructure to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and any paid ransom demands within 24 hours. While these new reporting obligations will not become effective until CISA promulgates rules to further define requirements, as the DIB’s effort has demonstrated, it would be wise to examine best practices in incident response plans to begin sooner rather than later.

What entities are covered?

Before we dive too deep into this topic, the question likely floating into the reader’s mind is: Am I involved in critical infrastructure? Well, the answer is, “Uh…probably.” The new law defines covered entities as organizations involved in critical infrastructure as identified by Presidential Policy Directive 21 (PPD 21), which will be further clarified by the CISA director in the forthcoming rules. PPD 21 identifies 16 critical infrastructure sectors whose physical or virtual assets, systems, and networks are “so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” It’s a pretty lengthy and broad-ranging list that includes the following sectors of industry:

  • Chemical
  • Commercial Facilities
  • Communications
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency Services
  • Energy
  • Financial Services
  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health
  • Information Technology
  • Nuclear Reactors, Materials, and Waste
  • Transportation Systems
  • Water and Wastewater Systems

Defined in greater detail here, these sectors address a wide swath of industry, many of which may not know or be ready for the requirements being levied upon them. Time to learn because, if we’re comparing these new requirements to federal contracting and DIB requirements, these sectors have been effectively “drafted.”

New Cybersecurity Reporting Requirements for Companies Involved in Critical Infrastructure

The new law directs CISA, which is part of the Department of Homeland Security (DHS), to monitor and assess cyber and ransomware threats and report them to Congress, businesses, and the public in order to identify trends and vulnerabilities that could target the economy, national security, or public health and safety. The law seeks to improve monitoring, coordinate the national response, and strengthen defense in an era of escalating cyber threats. Like its DoD corollary, the requirements direct covered critical infrastructure sector entities to report a cyber-incident within 72 hours of discovering it has occurred. They will also need to report ransom payments within 24 hours of payment, even if a ransomware attack is not a cyber-incident covered by the rules. Entities will also need to preserve data relevant to cyber incidents or ransom payments in a particular format.

In operation, the law provides the director of CISA 24 months to draft and publish rules that will clarify exactly which entities will be obligated to report, what kinds of incidents will need to be reported, and how entities will need to report. Thereafter, the director will have 18 months to issue final rules concerning the reporting requirements.

What Incidents Will Need to Be Reported?

Requirements are still being created, but critical infrastructure entities will need to be prepared to describe when and how devices, networks, and information systems were impacted by a cyber incident. The Act presently defines a “covered cyber incident” as “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule.” The definition, of course, is presently chock full of ambiguity that is expected to be clarified in the upcoming rule-making process. Ultimately, covered entities will need to describe any loss of confidentiality, integrity, or availability/access to the affected systems and how the incident disrupted operations as well as include a description of the vulnerabilities that were exploited. Most importantly, they will also need to understand when or how the definition of “cyber incident” is triggered.

Once triggered, covered entities will need to submit ongoing updates concerning reported incidents if new or different information becomes available or if they make ransom payments after submitting a cyber incident report. Entities will have to notify CISA when the cyber incident has been concluded, mitigated, and resolved. For entities that do not comply with reporting requirements, the law gives subpoena power to the director of CISA.

How the Reporting Will Be Used

The reports are intended to allow CISA to monitor cybersecurity threats across the economy. After anonymizing the data, the intent is to have the agency use the information to publish quarterly unclassified public reports that will describe observations, findings, and recommendations. CISA will conduct monthly briefings to Congress on the national cyber threat landscape.

In addition, the law calls for the establishment of three initiatives: (1) DHS will establish an intergovernmental Cyber Incident Reporting Council to streamline the government’s incident reporting requirements; (2) CISA will establish a Joint Ransomware Task Force to coordinate a national campaign against ransomware attacks; and (3) CISA will also establish a Ransomware Vulnerability Warning Pilot Program to identify systems with security vulnerabilities and notify their owners about weaknesses.

What Companies Can Do Now

Companies involved in, with, or near the sectors identified by PPD 21 as critical infrastructure should keep an eye out for CISA’s coming proposed rules, which will clarify which organizations will be subject to the new reporting requirements. They may come out of the blue, so it is important to keep a close eye out if your company could be viewed as a part of that sector. Once those rules are finalized, covered entities will have little time to report incidents to CISA. Being prepared to review and update your existing (or developing) incident response plans to comply with these reporting obligations will be key. To the extent that these plans don’t already identify them, companies should identify, define, and include “triggers” for determining when the company “reasonably believes” it is experiencing or has experienced a covered cyber incident. Organizations that may fall under the new rules can begin to review their policies and identify potential updates to their protocols to ensure they can comply with the prompt reporting required by the law once the new rules are finalized. Beyond internal policies, similar to the contract flowdown requirements applied in the DIB, covered entities should also examine existing and model subcontracts and vendor agreements to better understand or instill similar cyber-incident reporting obligations within underlying supply chains to avoid cybersecurity risks coming from unaware suppliers.

Fortunately, for those in the DIB who have suffered cyber whiplash amid DoD’s cybersecurity back and forth, the Act intends to allow federal agencies to coordinate, deconflict, and harmonize federal incident reporting obligations. This would help ensure that there are agreed-upon federal sharing mechanisms, allowing critical infrastructure entities to report cyber incidents to only one agency (i.e., the DoD), and that agency would share it with CISA in lieu of making a covered entity report covering the same information to multiple agencies. Of course, for many federal contractors or companies working in multiple sectors, ensuring that such mechanisms are actually in place will be critical to ensuring compliance with these future requirements.

While those effected by these pending rules have some months to get ready, they shouldn’t be lulled into a sense of complacency. Beyond the pivot needed just to meet these evolving requirements, companies should also expect to spend significant time integrating these requirements into existing processes, policies, and procedures. Get started now.