Examining the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)

Signed into law in March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022, also known as CIRCIA, is a major milestone in increasing America’s cybersecurity. While there is a lot to unpack in this Act, the top-line takeaway is that the Cybersecurity and Infrastructure Security Agency (CISA) will be developing standards between now and September 2025 that will require certain entities to report cyber incidents and ransomware payments. According to CISA, this reporting will “allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”

While these standards are still being developed, it’s important that organizations understand at least the basics of what the Act is going to require, how they can be involved in the conversation around the creation of the final regulations, and what they should be doing right now to prepare for the Act’s eventual implementation.

What Are the Primary Obligations Under the Cyber Incident Reporting for Critical Infrastructure Act?

This legislation has been years in the making, with its roots in 2013’s National Infrastructure Protection Plan (NIPP). But with the rising sophistication and number of attacks, Congress was finally moved to act. The biggest problem in enhancing cybersecurity has not been the people, process, or technology — it's been the metrics, measuring cause and effect, answering questions such as, “If I do this on the cybersecurity side, what is the impact going to be on my security?”, “Is the incidence of ransomware X or 5X”, and “What helps mitigate these issues?”

This lack of visibility partly results from the fact that the government does not own most critical infrastructure. CIRCIA will help create a fuller picture by collecting the data through cyber incident reporting to take a more strategic look at what’s happening at scale and what works against threats. But it only will succeed if organizations comply with the legislation’s obligations.

CIRCIA Obligations Include:

• Reporting to CISA on any “covered cyber incident” within 72 hours of determining that the incident has occurred
• Reporting to CISA on the issuance of a ransomware payment within 24 hours
• Providing CISA with supplemental information when substantial or new information regarding the incident becomes available to the entity

It’s important to note that fulfilling CIRCIA’s requirements is not solely the responsibility of the private sector. The act also imposes tasks on the federal government. The Department of Homeland Security (DHS) must create and lead a cyber-incident reporting council to create a process for collecting this data and using it to improve response to incidents. CISA must develop a ransomware vulnerability warning pilot to help identify common vulnerabilities that get exploited and uncover ways to mitigate them.

In addition, CISA must establish a joint ransomware task force to coordinate action within the United States and internationally on ransomware because ransomware is one of those quintessential public-private partnerships. Increasing resilience within private sector companies and educating users is one lever for change, but issues such as geopolitical safe havens for ransomware authors and the role of cryptocurrency as a critical enabler are problems that require governmental action. 

What is a “covered cyber incident” under CIRCIA?

Incidents that meet any one of these criteria are deemed a “covered cyber incident”:

• “Substantial loss of confidentiality, integrity, or availability” in information systems or “serious impact on the safety and resiliency” of operations; or
• “Disruption of business or industrial operations,” including service denials, ransomware attacks, or exploitation of “zero-day vulnerability(ies)”; or
• Creates “unauthorized access or disruption of business or industrial operations” from the loss of services facilitated through or caused by a third-party data hosting provider or supplier

The scope and scale that CISA is weighing are consistent with Presidential Policy Directive 21, which came out of the directive in 2013 and basically created the modern definition of critical infrastructures. This means entities where a loss is everyone's loss — things that affect national security, economic security, health, and safety. Considerations include:

• Whether disruption to or compromise of the entity could cause consequences to “national security, economic security, or public health and safety”
• “The number of individuals directly or indirectly affected" as a result of the incident
• “Potential impacts on industrial control systems” during or as a result of the incident

What are the Minimum Reporting Requirements for Cyber Reporting under CRICIA?

This section of CIRCIA can be a bit panic-inducing at first glance. However, it’s helpful to remember that while these are called “must, at a minimum” requirements, not all information asked for below will be available within the first 72 hours. Most important is the spirit of the requirements, which is to report as much information as possible as soon as possible and then follow up consistently as more details come to light.

The seven requested items include:

1. Description of the incident
2. Description of the vulnerability
3. Security defenses maintained
4. Tactics, techniques, and procedures used by a threat actor
5. Identifying information for a threat actor
6. Information compromised during an incident
7. Contact information for a covered entity

It’s important to note that the final specifics of the CISA-developed requirements are still under development. That’s why it’s imperative for organizations that will be held to these requirements to stay abreast of developments as they occur — and take advantage of every mechanism available to ensure their perspective and input are included in the creation process.

It’s also important to understand that the information you submit will only be used for tracking, trend analysis, and response purposes. This information cannot be used for regulation and will be protected to avoid causing reputational harm. CISA has already established an excellent track record in protecting sensitive information. The sole goal is to spot the trends and possible solutions that are only possible when seeing the full picture.

What Sectors are Covered Under the Cyber Reporting for Critical Infrastructure Act of 2022? 

Organizations in the following sectors — as well as those who support the security and resiliency of critical infrastructure — are responsible for meeting CIRCIA requirements:

• Chemical sector
• Commercial Facilities sector
• Communications sector
• Critical Manufacturing sector
• Dams sector
• Defense Industrial Base sector
• Emergency Services sector
• Energy sector
• Financial Services sector
• Food and Agriculture sector
• Government Facilities sector
• Healthcare and Public Health sector
• Information Technology sector
• Nuclear Reactors, Materials, and Waste sector
• Transportation Systems sector
• Water and Wastewater Systems sector

This list is not likely to be reduced as the process of finalizing CIRCIA requirements advances. However, it is foreseeable that sectors that have not yet been officially created but would be considered critical infrastructure could be added in the future, such as a Space sector.

When will the Cyber Reporting for Critical Infrastructure Act of 2022 be Implemented?

As mentioned above, many of the specifics around CIRCIA requirements are not yet final. Key milestones ahead include:

• March 15, 2024, is the deadline for the publication of a Notice of Proposed Rulemaking (NPRM). This signifies that the initial draft of the proposed rules is complete, and the NPRM is open for public comment. However, if an organization has relationships with that ISAC or that ISAO, or with a part of government that's likely to be consulted, now is a good time to start speaking up and exercising that informal network.

• September 15, 2025, is the deadline for CISA to issue the Final Rule that will govern reporting and, theoretically, when implementation would officially begin. However, in the event of another major infrastructure attack, there is a significant possibility that Congress could accelerate this timeline.

How Can You Prepare Now for the Cyber Reporting for Critical Infrastructure Act of 2022?

To facilitate the collection of input from critical infrastructure owners, operators, and other stakeholders, CISA intends to host listening sessions and release a Request for Information (RFI). More information on these options will be available on the CISA website when ready.

Because the timeline for CIRCIA’s “go live” is not set in stone, it’s imperative that organizations start preparing sooner rather than later. Three things that can be done right now are:

1. Stay informed. Stakeholders should stay current on what is happening with the rulemaking process. It’s important to be aware of opportunities for input as well as any changes that could be made to the implementation timeline.
2. Participate in the process. If the proposed requirement feels onerous, this is the time to speak up. Certain issues are already easy to see, such as the need to re-image a server to get back in business after an event — which conflicts with the need to document or even preserve any evidence around an attack. Stakeholder perspective is critical in the development stage.
3. Start reporting cyber incidents now. It’s true that the reporting requirements will not be mandatory until the Final Rule has been issued. But operating with limited visibility is a dangerous way to function, so CISA encourages critical infrastructure owners and operators to voluntarily share information on cyber incidents with the organization even before the date CIRCIA rules become effective. Unusual cyber activity and/or cyber incidents can be shared with CISA 24/7 via report@cisa.gov or (888) 282-0870.

Criminal and nation-state bad actors are becoming increasingly bold and sophisticated. The risks to critical infrastructure — and the consequences of successful attacks — require a response that is also bolder and more sophisticated. The Cyber Reporting for Critical Infrastructure Act of 2022 is a huge step in that direction, providing regulations with real impact — and enforcement powers with real teeth.

Learn more: In this 45-minute webinar, Fortinet’s William Noto, OT Segment Marketing Director, and Jim Richberg, Public Sector Field CISO, examine reporting requirements around the Cyber Reporting for Critical Infrastructure Act of 2022. Learn who is covered, what is required, how your business may be impacted, and how to plan ahead for its full implementation in 2025.