Cyber Incident Reporting for Critical Infrastructure Act of 2022 Introduced

On March 15, 2022, President Biden signed into law the Consolidated Appropriations Act 2022, which provides an omnibus spending package to fund the government through September and includes the "Cyber Incident Reporting for Critical Infrastructure Act of 2022" (the Act).  

Purpose of the Act

The general purpose of the Act is to provide the Cybersecurity & Infrastructure Security Agency (“CISA”) with actionable information on cybersecurity incidents occurring within critical infrastructure so that the Federal government may review the reported threat, assess the situation, and provide the reporting organization with actionable guidance on mitigation of future incidents.

Covered Entitles

The Act applies to private and public companies, as well as state, local, Tribal, and territorial government entities, operating in one of the following 16 critical infrastructure sectors:

1.       Chemical Sector

2.       Communications Sector

3.       Dams Sector

4.       Emergency Services Sector

5.       Financial Services Sector

6.       Government Facilities Sector

7.       Information Technology Sector

8.       Transportation Systems Sector

9.       Commercial Facilities Sector

10.   Critical Manufacturing Sector

11.   Defense Industrial Base Sector

12.   Energy Sector

13.   Food and Agriculture Sector

14.   Healthcare and Public Health Sector

15.   Nuclear Reactors, Materials, and Waste Sector

16.   Water and Wastewater Systems Sector

Additionally, CISA will only consider entities to be a “covered entity” if:

• the disruption to or compromise of the entity could cause consequences to “national security, economic security, or public health and safety”;

• the likelihood that the entity may be targeted by a threat actor;

• the extent of “damage, disruption, or unauthorized access” that the entity may incur as a result of a disruption or compromise to its system.

Covered Incidents

A “substantial”—and, as a result, covered—cyber incident includes those which fall in the following categories:

• when the incident leads to “substantial loss of confidentiality, integrity, or availability” the entity’s information systems or a “serious impact on the safety and resiliency” of the entity’s operations;

• if the incident would cause a “disruption of business or industrial operations,” including service denials, ransomware attacks, or exploitation of “zero day vulnerability[ies]”; or

• if the incident creates “unauthorized access or disruption of business or industrial operations” resulting from the loss of services facilitated through or caused by a third-party data hosting provider or supplier. 

In addition, the responsible agency will consider:

• “the sophistication or novelty of the tactics used” in conducting the incident;

• “the number of individuals directly or indirectly affected” as a result of the incident; and

• “potential impacts on industrial control systems” during or as a result of the incident. 

Covered Entity Obligations

The Act imposes the following obligations on covered entities:

1. Report to CISA of a “covered cyber incidents” within 72 hours of determining that the incident has occurred;

2. Report to CISA of the issuance of a ransomware payment within 24 hours of the incident;

3. Provide to CISA supplemental information when substantial or new information regarding the incident becomes available to the entity; and

4. Maintain and preserve any data relevant to the “covered cyber incidents.”

In providing reports to CISA, covered entities must, at a minimum, provide the following information:

• A description of the incident;

• A description of the vulnerabilities exploited during the incident;

• The security defenses the entity maintained prior to the incident;

• The tactics, techniques, and procedures the threat actor utilized to conduct the incident;

• Contact information or any identifying information for the threat actor;

• The information compromised during the incident; and

• The contact information for the covered entity.

The Act makes clear that covered entities may utilize and rely on third-party vendors such as “an incident response company, insurance provider, service provider, information sharing and analysis organization, or law firm” to satisfy these reporting obligations.   

If the entity is not considered a “covered entity” it may make these reports on a voluntary basis.

Use Limitations for Data Received

Where a covered entity provides the required information for a report, the permissible uses for this information include:

• For cybersecurity;

• To identify a cyber threat or vulnerability;

• To assess, respond to, prevent, or mitigate “a specific threat of death, a specific threat of serious bodily harm, or a specific threat of serious economic harm, including a terrorist act or use of a weapon of mass destruction”;

• To assess, respond to, prevent, or mitigate “a serious threat to a minor, including sexual exploitation and threats to physical safety”; or

• To assess, respond to, disrupt, or prosecute an offense arising out of a reported incident or action.

Enforcement

When CISA reasonably believes a covered entity has experienced a reportable incident or engaged in a reportable action, CISA may make an initial request for disclosure. After 72 hours following the initial request, if the covered entity fails to provide the disclosure, CISA may issue subpoenas requiring disclosure. Failure to comply with the subpoena may result in a lawsuit seeking enforcement and a potential charge of contempt of court.

The agency currently has 24 months to publish the notice of proposed rule to the Federal Registrar.  After the issuance of the proposed rule, the agency will have 18 months to issue a final rule. As such, organizations currently have a substantial amount of time to gain compliance with these regulations.