CISA Proposes Cyberattack Reporting Rules for Critical Infrastructure Entities
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has proposed a rule that implements cyberattack and ransom payment reporting requirements for critical infrastructure entities, as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
In March 2022, CIRCIA was signed into law by President Biden, one of the requirements of which was for CISA to develop and implement new regulations that require critical infrastructure entities, including hospitals and health systems, to report covered cyber incidents and ransomware payments to CISA. The purpose of the reporting is to provide CISA with timely information about cyberattacks to allow resources to be rapidly deployed and assistance provided to support victims of cyberattacks and allow CISA to rapidly identify cyberattack trends and disseminate information to help network defenders prevent further attacks.
When developing the new requirements, CISA consulted with various entities, including the Sector Risk Management Agencies, the Department of Justice, other appropriate Federal agencies, the DHS-chaired Cyber Incident Reporting Council, and non-federal stakeholders.
Incidents That Should Be Reported
- Unauthorized access to systems
- Denial of Service (DOS) attacks that last more than 12 hours
- Malicious code on systems, including variants if known
- Targeted and repeated scans against services on systems
- Repeated attempts to gain unauthorized access to systems
- Email or mobile messages associated with phishing attempts or successes
- Ransomware against critical infrastructure, including variant and ransom details if known
Information That Should be Shared
- Incident date and time
- Incident location
- Type of observed activity
- Detailed narrative of the event
- Number of people or systems affected
- Company/Organization name
- Point of Contact details
- Severity of event
- Critical Infrastructure Sector if known
- Anyone else that has been informed
Proposed Timeframe for Reporting
Time is of the essence when reporting incidents. The sooner CISA is informed, the faster information can be shared to warn other organizations in the sector about attackers’ tactics, techniques, and procedures. Covered entities will be required to report covered incidents within 72 hours, and ransom payments will need to be reported within 24 hours of payment being made.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Since some of the requirements of CIRCIA are regulatory, CISA is first required to publish a Notice of Proposed Rulemaking (NPRM) in the Federal Register and accept public comments for 60 days. The NMPR was published in the Federal Register on March 27, 2024. The Final Rule will be published within 18 months of the date of the NPRM.
The new reporting requirements will not be mandatory until the Final Rule takes effect; however, CISA encourages all critical infrastructure entities to voluntarily report cyberattacks and ransom payments ahead of the compliance date. The information shared will allow CISA to provide assistance and warnings to other organizations to prevent them from suffering similar attacks.
A fact sheet has been released that summarizes key requirements and the NPRM can be viewed in the Federal Register.
