Signed into law in March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022, also known as CIRCIA, is a major milestone in increasing America’s cybersecurity. While there is a lot to unpack in this Act, the top-line takeaway is that the Cybersecurity and Infrastructure Security Agency (CISA) will be developing standards between now and September 2025 that will require certain entities to report cyber incidents and ransomware payments. According to CISA, this reporting will “allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”
While these standards are still being developed, it’s important that organizations understand at least the basics of what the Act is going to require, how they can be involved in the conversation around the creation of the final regulations, and what they should be doing right now to prepare for the Act’s eventual implementation.
This legislation has been years in the making, with its roots in 2013’s National Infrastructure Protection Plan (NIPP). But with the rising sophistication and number of attacks, Congress was finally moved to act. The biggest problem in enhancing cybersecurity has not been the people, process, or technology — it's been the metrics, measuring cause and effect, answering questions such as, “If I do this on the cybersecurity side, what is the impact going to be on my security?”, “Is the incidence of ransomware X or 5X”, and “What helps mitigate these issues?”
This lack of visibility partly results from the fact that the government does not own most critical infrastructure. CIRCIA will help create a fuller picture by collecting the data through cyber incident reporting to take a more strategic look at what’s happening at scale and what works against threats. But it only will succeed if organizations comply with the legislation’s obligations.
It’s important to note that fulfilling CIRCIA’s requirements is not solely the responsibility of the private sector. The act also imposes tasks on the federal government. The Department of Homeland Security (DHS) must create and lead a cyber-incident reporting council to create a process for collecting this data and using it to improve response to incidents. CISA must develop a ransomware vulnerability warning pilot to help identify common vulnerabilities that get exploited and uncover ways to mitigate them.
In addition, CISA must establish a joint ransomware task force to coordinate action within the United States and internationally on ransomware because ransomware is one of those quintessential public-private partnerships. Increasing resilience within private sector companies and educating users is one lever for change, but issues such as geopolitical safe havens for ransomware authors and the role of cryptocurrency as a critical enabler are problems that require governmental action.
Incidents that meet any one of these criteria are deemed a “covered cyber incident”:
The scope and scale that CISA is weighing are consistent with Presidential Policy Directive 21, which came out of the directive in 2013 and basically created the modern definition of critical infrastructures. This means entities where a loss is everyone's loss — things that affect national security, economic security, health, and safety. Considerations include:
This section of CIRCIA can be a bit panic-inducing at first glance. However, it’s helpful to remember that while these are called “must, at a minimum” requirements, not all information asked for below will be available within the first 72 hours. Most important is the spirit of the requirements, which is to report as much information as possible as soon as possible and then follow up consistently as more details come to light.
The seven requested items include:
It’s important to note that the final specifics of the CISA-developed requirements are still under development. That’s why it’s imperative for organizations that will be held to these requirements to stay abreast of developments as they occur — and take advantage of every mechanism available to ensure their perspective and input are included in the creation process.
It’s also important to understand that the information you submit will only be used for tracking, trend analysis, and response purposes. This information cannot be used for regulation and will be protected to avoid causing reputational harm. CISA has already established an excellent track record in protecting sensitive information. The sole goal is to spot the trends and possible solutions that are only possible when seeing the full picture.
Organizations in the following sectors — as well as those who support the security and resiliency of critical infrastructure — are responsible for meeting CIRCIA requirements:
This list is not likely to be reduced as the process of finalizing CIRCIA requirements advances. However, it is foreseeable that sectors that have not yet been officially created but would be considered critical infrastructure could be added in the future, such as a Space sector.
As mentioned above, many of the specifics around CIRCIA requirements are not yet final. Key milestones ahead include:
To facilitate the collection of input from critical infrastructure owners, operators, and other stakeholders, CISA intends to host listening sessions and release a Request for Information (RFI). More information on these options will be available on the CISA website when ready.
Because the timeline for CIRCIA’s “go live” is not set in stone, it’s imperative that organizations start preparing sooner rather than later. Three things that can be done right now are:
Criminal and nation-state bad actors are becoming increasingly bold and sophisticated. The risks to critical infrastructure — and the consequences of successful attacks — require a response that is also bolder and more sophisticated. The Cyber Reporting for Critical Infrastructure Act of 2022 is a huge step in that direction, providing regulations with real impact — and enforcement powers with real teeth.
Learn more: In this 45-minute webinar, Fortinet’s William Noto, OT Segment Marketing Director, and Jim Richberg, Public Sector Field CISO, examine reporting requirements around the Cyber Reporting for Critical Infrastructure Act of 2022. Learn who is covered, what is required, how your business may be impacted, and how to plan ahead for its full implementation in 2025.