Priya Patel
TLDR:
- CISA issued a Notice of Proposed Rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act.
- Covered entities must report cyber incidents within 72 hours and ransom payments within 24 hours.
The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a new Critical Infrastructure Reporting Rule, known as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022. Under this rule, covered entities are required to report significant cyber incidents within 72 hours of discovery, along with ransom payments within 24 hours. The rule aims to enhance cybersecurity coordination and response efforts across industry and government sectors, with CISA Director Jen Easterly emphasizing its importance in leveraging incident and ransomware payment data to detect patterns, address information gaps, and assist entities impacted by cyberattacks swiftly.
The proposed rule, estimated to cost $2.6 billion and potentially affecting over 316,000 entities, was published on April 4, 2024, initiating a public comment period until June 3, 2024. Callie Guenther from Critical Start highlighted challenges such as varying cybersecurity levels across sectors and the need for clear guidelines on defining “significant” cyber incidents. Jose Seara of DeNexus emphasized the importance of proactive preparation and risk assessment, especially in capital-intensive environments with cyber-physical assets.
Marcus Fowler from Darktrace Federal pointed out the increasing convergence of IT and operational technology (OT) in critical infrastructure providers and manufacturing companies, leading to growing cyber-physical attack risks. Guenther advised balancing the rule’s effectiveness with financial and operational feasibility, suggesting phased implementation based on entity size and sector criticality. Industry-specific risk identification and compliance flexibility were also recommended for broad protection.
