Cyber incidents involving critical infrastructure pose a serious risk to the US. In March 2024, the Environmental Protection Agency and the National Security Advisor warned state governors about potential attacks on drinking water and wastewater facilities by specific Iran- and China-aligned hackers. The following month (on April 4, 2024), in an attempt to prepare for such attacks and otherwise improve the federal government’s ability to collect and analyze data related to cyber incidents on critical infrastructure, the Cybersecurity and Infrastructure Security Agency (CISA) issued a proposed rule to implement cyber incident reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enacted in an omnibus appropriation, CIRCIA directed CISA to issue rulemaking requiring the reporting of cyber incidents or the payment of ransoms in response to cyberattacks affecting critical infrastructure.
Who Is Subject to the Rule and What Incidents Are Subject to Reporting?
The proposed rule defines critical infrastructuresas “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” 42 U.S.C. § 5195c(e). Currently, there are 16 critical infrastructures identified in Presidential Policy Directive 21.
The rule applies to covered entities, defined as entities that either (1) are other than a small business based on the applicable North American Industry Classification System code or (2) meet one or more of the sector-based criteria set at section 226.2 of the proposed rule. A covered cyber incident is a cyber incident (an “occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system; or actually jeopardizes, without lawful authority, an information system”) that results in any of the following:
- A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network
- A serious impact on the safety and resiliency of a covered entity’s operational systems and processes
- A disruption of a covered entity’s ability to engage in business or industrial operations or to deliver goods or services
- Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by one of the following:
- The compromise of a cloud service provider, managed service provider, or other third-party data hosting provider
- A supply chain compromise
A ransomware attack is an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or that actually or imminently jeopardizes, without lawful authority, an information system that involves, but need not be limited to, the following:
- The use or the threat of use of:
- Unauthorized or malicious code on an information system
- Another digital mechanism such as a denial-of-service attack
- The interruption or disruption of the operations of an information system or the compromise of the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system
- The extortion of a ransom payment
What and When to Submit and What Must be Retained
The proposed rule requires the submission of four types of reports: (i) a covered cyber incident report, (ii) a ransom payment report, (iii) a joint report consisting of a covered cyber incident report and ransom payment report, and (iv) supplemental reports. Covered entities must submit supplemental reports when they become aware of substantially new or different information about the cyber incident or subsequently make a ransom payment after initially submitting a covered cyber incident report.
The proposed rule also specifies certain timing requirements for each report:
- A cyber incident report must be submitted no later than 72 hours after a covered entity reasonably believes a covered cyber incident has occurred.
- Ransom payment reports must be submitted no later than 24 hours after a ransom payment has been disbursed.
- Joint reports, within 72 hours, and required supplemental reports must be submitted promptly, with subsequent ransom payments made after submitting a covered cyber incident report no later than 24 hours after payment.
The proposed rule permits a covered entity to use a third party (e.g., a cybersecurity firm or insurance company) to submit a CIRCIA report on behalf of the covered entity, providing an attestation that the third party is expressly authorized by the covered entity to submit a report on the covered entity’s behalf that is included as part of the report. Information submitted in compliance with the proposed rule, if confidential or proprietary, must be properly marked as confidential and for exemption from disclosure under the Freedom of Information Act. The proposed rule also provides liability protection from litigation solely based on the submission of a CIRCIA report or a response provided to a CISA request for information.
In addition, the proposed rule requires a covered entity to preserve all data and records related to a covered cyber incident or ransom payment for no less than two years from the submission of the most recently required CIRCIA report or from the date such submission would have been required but for an exception pursuant to section 226.4(a) (i.e., if there is a CIRCIA agreement in place between CISA and the other federal agency and CISA’s discretionary determination that what must be reported and when are substantially similar). All data and records must be preserved in their original format or form, and covered entities must implement reasonable safeguards to protect data and records against unauthorized access or disclosure, deterioration, deletion, destruction, and alteration.
The proposed rule also includes several enforcement mechanisms, including potentially significant liability if a contractor fails to report a covered cyber incident or ransom payment. If CISA has reason to believe a covered entity failed to report a covered cyber incident or ransom payment, CISA may issue a request for information, followed by a subpoena if the covered entity fails to reply to the request for information. CISA may also refer a matter to the attorney general to bring a civil action to enforce compliance with a subpoena. Finally, the proposed rule provides that knowingly and willfully making a materially false or fraudulent statement or representation in connection with, or within, a CIRCIA report, response to a request for information, or response to an administrative subpoena is subject to the penalties under 18 U.S.C. § 1001 (e.g.,fines, imprisonment).
What Does This Mean for Contractors?
Once final, the proposed rule will add another cyber incident reporting regime to the more than three dozen different cyber incident reporting requirements currently in effect throughout the federal government. Although the proposed rule includes certain exceptions to limit the burden of implementation—including the exception for small businesses—this exception may be limited because a small business that meets any one or more of the sector-based criteria set forth at section 226.2 of the proposed rule would still be required to implement a CIRCIA compliance program. Department of Defense contractors and subcontractors, in particular, will be expected to implement a CIRCIA compliance program as the proposed rule applies to contractors or subcontractors “required to report cyber incidents to the Department of Defense pursuant to the definitions and requirements of the Defense Federal Acquisition Regulation Supplement 48 CFR 252.204–7012[.]” The sector-based criteria apply regardless of the size status of an entity.
It remains to be seen how the proposed rule will limit duplicative cyber incident reporting. Noted previously, section 226.4 provides a mechanism that would reduce the burden of duplicative cyber incident reporting: “[A] covered entity that reports a covered cyber incident, ransom payment, or information that must be submitted to CISA in a supplemental report to another Federal agency pursuant to the terms of a CIRCIA Agreement will satisfy the covered entity’s reporting obligations under § 226.3.” However, these agreements may not cover the CIRCIA supplemental reporting requirements a covered entity remains subject to unless specified in a CIRCIA agreement.
Although a final rule is not expected until October 2025, contractors should carefully review the proposed rule and file comments on or before on June 3, 2024. The proposed rule estimates that around 316,244 entities would be affected and the total industry cost would be approximately $1.44 billion over 10 years. Contractors should, thus, review the proposed rule to determine whether they will be subject to CIRCIA’s requirements and plan to establish and implement appropriate compliance procedures.