Priya PatelTLDR:
Key Points:
- CISA has launched new cyber incident reporting rules for US defense contractors under the CIRCIA Act of 2022.
- Organizations must report cyber incidents within 72 hours and ransom payments within 24 hours after the ransom has been made.
In an effort to enhance cybersecurity measures, the US Cybersecurity and Infrastructure Security Agency (CISA) has introduced new cyber incident reporting rules for critical infrastructure organizations, specifically targeting US defense contractors. Under the updated Cyber Incident Reporting for Critical Infrastructure (CIRCIA) Act of 2022, all defense contractors considered to operate critical infrastructure will be required to report cyber incidents within 72 hours of occurrence. Additionally, any ransom payments made in response to a ransomware attack must be reported within 24 hours.
The new rules, outlined in a 447-page document, detail the specific situations that necessitate reporting to CISA. These include substantial loss of confidentiality, integrity, or availability, significant impacts on safety and operational resilience, disruptions in business operations, and unauthorized access due to supply chain compromise or third-party breaches. Non-compliance or false reporting may result in coercive measures by CISA, such as subpoenaing the entity or involving the US Justice Department.
While many of the covered entities already report incidents to the US Defense Department (DoD), CISA is aiming to ensure comprehensive reporting to identify cyber threats across critical infrastructure sectors. Feedback on the proposed rules is welcomed from covered entities within 60 days to further refine the reporting requirements.
