The US Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a new draft for updated rules on cyber reporting for critical infrastructure organizations.
In an effort to update its Cyber Incident Reporting for Critical Infrastructure (CIRCIA) Act of 2022, CISA released the first draft of new proposed rules, which will be published in the Federal Register on April 4.
These rules will apply to all US defense contractors considered to operate critical infrastructure under the DFARS clause 252.204-7012.
All organizations that fall within the 16 critical infrastructure sectors, as defined by CISA, will be obliged to report cyber incidents to the agency within 72 hours after it occurred under the legislation.
Additionally, ransom payments made in response to a ransomware attack must be reported within 24 hours after the ransom has been made.
US Defense Contractors to Double Report to Both CISA and DoD
The new 447-page document describes the steps that “covered entities” must take when they experience a cyber incident or a ransom request.
These include reporting to CISA when in any of the four following situations:
- Substantial loss of confidentiality, integrity, or availability
- Serious impact on safety and resiliency of operational systems and processes
- Disruption of ability to engage in business or industrial operations
- Unauthorized access facilitated through or caused by a supply chain compromise or the compromise of a cloud service provider (CSP), managed service provider (MSP) or other third-party data hosting provider
In the document, CISA suggested coercive actions for fake reporting or non-compliance, such as the ability to subpoena the entity or report it to the US Justice Department (DoJ).
Although CISA acknowledged that most – if not all – covered entities already have to report the same incidents to the US Defense Department (DoD), the agency "nevertheless is proposing to include them within the CIRCIA Applicability section."
"This will ensure that the Federal government receives information necessary to identify cyber threats, exploited vulnerabilities and techniques, tactics and procedures (TTPs) that affect entities in this community and in other interdependent critical infrastructure sectors, even if changes are made to what must be reported pursuant to the DFARS regulation, over which CISA has no authority," reads the draft.
Covered entities have 60 days to send CISA feedback on the new proposed rules.
On April 5, 2024, the US Chamber of Commerce and over 20 industry groups across several sectors (finance, aviation, telecoms, railroads, healthcare and pipelines) published an open letter in which they ask CISA a 30-day extension to send feedback in order to allow for more time to get familiar with the proposed new rules.
This article was updated on April 9, 2024.