Complying with the Cyber Incident Reporting for Critical Infrastructure Act — which was passed into law in March of 2022 — may present new challenges for information security teams. Organizations in the 16 critical infrastructure sectors are the primary targets for the Act. However, any business acting as a vendor or supplier to an entity that is classified as part of the critical infrastructure, or any organization for which a cyber disruption would impact economic security or public health in the U.S., may also be impacted.
The Act requires those organizations subject to the law to report substantial cybersecurity incidents to the federal government within 72 hours. If an organization makes a ransomware payment, it has only 24 hours to make such a report. Even if an incident does not involve Personally Identifiable Information (PII), these requirements may still apply.
The Intent of the Cyber Incident Reporting for Critical Infrastructure Act
The principal intent of the Act is for the Cybersecurity and Infrastructure Security Agency (CISA), the enforcing agency for the Act, to gather, evaluate, analyze, and compile information related to system infiltrations that may lead to potential widespread system threats.
The data CISA will collect is meant to help stop the spread of successful attacks by identifying threat actors and helping identify and build defenses against their methodologies. Intelligence gained and potential aversion strategies will then be shared through public alerts to provide organizations with the information they need to block new threats and take action to protect their IT systems.
Brandon Wales, Executive Director, U.S. Cybersecurity Infrastructure Security Agency (CISA)
During an interview at the 2022 Boston Conference on Cyber Security on June 1, 2022, Brandon Wales, Executive Director, U.S. Cybersecurity Infrastructure Security Agency (CISA), reinforced the value of this information in helping to stop the spread of cyber threats:
“A cybersecurity event can cause catastrophic impacts on public health and safety, the economy, or national security,” said Brandon Wales, Executive Director, CISA.1 “We’re there … to help make sure the next potential victim is able to stop an attack before it is successful.”2
Wales went on to say, “We think it’s (the Cyber Incident Reporting for Critical Infrastructure Act) an incredibly important piece of legislation that will over the long-term really be a seismic change in our ability to … use information to take action against adversaries and to protect the U.S. critical infrastructure.”3
Additional Clarification is Essential to Understand New Obligations
At present, general wording of the Act leaves room for interpretation. For example: covered entities must file a report for a significant cyber incident within 72 hours—after they reasonably believe a qualifying incident has occurred. Beyond critical infrastructure, which organizations could be considered covered entities? What type of incident will qualify as significant? And how will reasonably believe be defined?
Regulations must address these questions before the reporting requirements go into effect. CISA has until March 2024 to develop the new regulations, and then another 18 months to finalize them. However, given the increasing cyber threat landscape, it is highly likely CISA will accelerate this process so report results can more quickly be used to help reduce overall threats and mitigate potential losses.
CISA recently confirmed their desire to accelerate the regulation development process, “We have two years to publish a draft rulemaking, and then 18 months after that to publish a final rule,” Wales said. “Obviously, we are going to try to move more quickly than that.”
Which Organizations Could Be Affected?
Most companies within critical infrastructure sectors are already aware they will be subject to the law and new reporting requirements. However, depending on how widely the net is cast, the final definition of covered entities is likely to include subcontractors, vendors, and/or suppliers that exchange data or share technology with a critical infrastructure organization. All critical infrastructure subcontractors, vendors and suppliers should pay close attention to the regulation development process and prepare early for new information protection responsibilities that may be needed in order to comply with the new law.
What Might Be Required?
In addition to who must report, what is to be reported must also be defined. Providing the information necessary to determine how a breach occurred (exploited vulnerability, new infiltration strategy, human error, etc.), and the likelihood that the incident can be replicated in other systems is essential to ensuring CISA can effectively identify and promote strategies to eliminate such threats. The information shared must be detailed enough to show the tactic — for instance: did the cybercriminal use a missing patch to traverse the network and bypass the antivirus system, which may call into question the overall security hygiene of the system that was breached.
In light of this, it seems likely that critical infrastructure organizations will be asking business partners and service providers to provide assurances that they have sufficient data security policies, procedures, and programs in place to comply with the new law.
If a system breach does occur, under the new law organizations that resist reporting and providing requested information can be subpoenaed and compelled to provide requested data and data system information. This gives CISA significant authority to demand information related to any impacted corporate record system. If CISA’s efforts to collect information fails, the agency has the authority to pass matters along to the Department of Justice.
Proper Preparation Helps Ensure Compliance
Given the time it takes to restructure cybersecurity programs and develop reporting mechanisms, organizations within the Critical Infrastructure ecosystem along with their third-party service providers, vendors, and suppliers, should consider taking steps as soon as possible to prepare for and avoid any complications that may arise from this new law.
“You need to start thinking about how you prepare and plan for any type of cyber incident now,” Wales stated.5
The first steps should be to review and update current incident response plans and discuss potential changes with information security and compliance professionals as soon as possible.
How HITRUST Can Help Prepare Your Organization
With the upcoming Cyber Incident Reporting for Critical Infrastructure Act regulations on the horizon, using HITRUST to help manage and assess your information risk management program assures both internal and external stakeholders that information protection controls are robust and effective will be more important than ever.
HITRUST offers a comprehensive information risk management program methodology that is integrated, maintained, and widely adopted to support your organization’s security and compliance goals. The HITRUST Approach addresses the key challenges of implementing and assessing data protection, information risk management, and compliance.
As a market-leading security, privacy, and compliance assessment, achieving HITRUST Certification can help you demonstrate to all relevant parties that your organization has taken the most proactive approach to data protection and risk mitigation, and is adhering to the highest information security standards.
The foundation of all HITRUST programs and services is the HITRUST CSF, an industry-leading, certifiable information risk management and compliance framework that organizations can rely on to provide reliable, high-quality assurance results with transparency, accuracy, integrity, and consistency.
For more information regarding the Cyber Incident Reporting for Critical Infrastructure Act, or on preparing your organization, contact firstname.lastname@example.org.
In a fireside chat interview at the Boston Conference for Cyber Security, hosted on June 1, 2022, by Boston College and the FBI, Brandon Wales, Executive Director, U.S. Cybersecurity Infrastructure Security Agency (CISA), offered many comments about CISA and the Cyber Incident Reporting for Critical Infrastructure Act. The comments included in this blog are publicly available quotes taken from the video-recorded interview posted on YouTube.
1 YouTube Video: Timestamp 2:45-2:50
2 YouTube Video: Timestamp 9:04-9:13
3 YouTube Video: Timestamp 37:02-37:20
4 YouTube Video: Timestamp 35:16-35:26
5 YouTube Video: Timestamp 23:04-23:08