What Critical Infrastructure Should Do: Mandatory Cybersecurity Incident Reporting for Critical Infrastructure is Coming and CISA Encourages Voluntary Reporting Now


April.15.2022

The Cybersecurity and Infrastructure Security Agency (“CISA”) released a “Sharing Cyber Event Information” Fact Sheet on April 7 that may preview its implementation of the new federal government cyber incident reporting requirement signed into law on March 15—the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Section Y within the Consolidated Appropriations Act). Many key details of the reporting requirement are subject to future rulemaking by CISA, including the critical infrastructure organizations to which the reporting requirements will apply; what cyber incidents must be reported (i.e., “substantial” cybersecurity incidents); what information critical infrastructure organizations will have to report; and the mechanics of submitting the reports.  The critical infrastructure industry has time to prepare as the reporting requirement will not take effect until the rulemaking process has been completed, although CISA encourages voluntary reporting now.  Although the proposed rules are required to be issued in the rulemaking progress within 24 months, with the final rule due 18 months thereafter, organizations should anticipate that CISA will move more quickly, and that the final rule could be issued as early as early 2023.

Statutory Framework and CISA’s Recommendations for Current Reporting Under its Fact Sheet

The statute provides a framework that gives a picture of what can be expected when the reporting requirement becomes mandatory.  While CISA has not yet started the rulemaking process, the CISA Fact Sheet provides recommendations for voluntary reporting starting now.

Cyber Incident & Ransom Payment Reporting Framework

CISA Fact Sheet

Who Has to Report?

Entities that operate in a critical infrastructure sector[1]:

Critical Infrastructure Owners and Operators. (This term is not defined in the Fact Sheet, but CISA’s existing guidance defines Critical Infrastructure Sectors as the 16 sectors identified in Presidential Policy Directive 21, which mirrors the Act.)

Federal, State, Local, Territorial, and Tribal Government Partners

  • chemical;
  • commercial facilities;
  • communications;
  • critical manufacturing;
  • dams;
  • defense industrial base;
  • emergency services;
  • energy;
  • financial services;
  • food and agriculture;
  • government facilities;
  • healthcare and public health;
  • information technology;
  • nuclear reactors, materials, and waste;
  • transportation systems; and
  • water and wastewater systems.

Covered entities may use a third party to submit the required report.

 

Substantial Cyber Incident

Ransom Payment

 

What Events Have to Be Reported?

The occurrence of “substantial” cyber incidents[2], including:

  • Substantial loss of confidentiality, integrity, or availability of information system or network;
  • Serious impact on the safety and resiliency of operational systems and processes;
  • Disruption of business or industrial operations (e.g., denial of service, ransomware, or zero-day vulnerability exploitations affecting information systems, networks, or operational technology system or process); and
  • Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

The payment of ransom as the result of a ransomware attack.

  • Unauthorized access to your system
  • Denial of Service (DOS) attacks that last more than 12 hours
  • Malicious code on your systems
  • Targeted and repeated scans against services on your systems
  • Repeated attempts to gain unauthorized access to your system
  • Email or mobile messages associated with phishing attempts or successes
  • Ransomware against Critical Infrastructure

What Details Have to Be Reported?

For a substantial cyber incident, details may include[3]:

  • A description of the incident that includes:
    • identification and a description of the function of the affected information systems, networks, or devices affected;
    • a description of the unauthorized access;
    • dates of event; and
    • the impact to operations.
  • Description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber incident.
  • Any identifying or contact information for the actor responsible.
  • Identification of the category or categories of information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person.
  • Business information for the impacted entity.
  • Contact information that CISA may use to contact the entity or authorized agent.

For a ransom payment[4]:

  • Date of ransom payment.
  • Amount of ransom payment.
  • Ransom payment demand, including the type of virtual currency or other commodity requested.
  • Ransom payment instructions.
  • Description of the ransomware attack, including the estimated date range of the attack.
  • Description of the vulnerabilities, tactics, techniques, and procedures used.
  • Any identifying or contact information for the actor responsible.
  • Business information for the impacted entity.
  • Contact information that CISA may use to contact the entity or authorized agent.
  1. Incident date and time
  2. Incident location
  3. Type of observed activity
  4. Detailed narrative of the event
  5. Number of people or systems affected
  6. Company/Organization name
  7. Point of Contact details
  8. Severity of event
  9. Critical Infrastructure Sector (if known)
  10. Anyone else informed by the reporting entity

 

When Does It Have to Be Reported?

Within 72 hours from when the entity “reasonably believes” that a “substantial” cyber incident has occurred.

Within 24 hours of making a ransom payment.

CISA encourages reporting “quickly” so information can be used to “render assistance and provide a warning to prevent other organizations and entities from falling victim to a similar attack.”

Prompt updates or supplemental reports required if “substantial new or different information becomes available,” up until Agency is notified that the covered incident has been fully mitigated and resolved.

Where Does It Have to Be Reported?

To CISA via a user-friendly web-based form.[5]

Send an email to [email protected]

OR

Use CISA’s Incident Reporting Form if you are a Federal or Critical Infrastructure partner that has completed one previously

OR

Send phishing email to [email protected]

The statute also imposes a duty to preserve data relevant to the covered incident or ransom payment in accordance with the final rule.

Enforcement Mechanism

The Act includes an enforcement mechanism, which is new to CISA which previously had no relevant enforcement powers and/or subpoena powers.  It now gets both.  Specifically, if the CISA Director has reason to believe that a covered entity failed to submit a required report, the Director may obtain information about the covered cyber incident or ransom payment by engaging the covered entity directly.  If after 72 hours, no response or an inadequate response is received, then CISA may seek the information via a subpoena.  If an entity fails to comply with a subpoena, CISA can refer the matter to the Attorney General to bring a civil action. The enforcement action and subpoena powers do not apply to covered entities that are State, local, Tribal or territorial government entities.

If the Director determines that information provided in response to a subpoena may constitute grounds for a regulatory or criminal action, then the Director may provide such information to the Attorney General or head of the applicable regulatory agency.  By contrast, the information contained in a voluntary report or in response to direct inquiry from CISA cannot be used as the basis for such actions.

Information Sharing Provisions

Information received in the reports will be processed and shared by CISA with a number of different groups.

Federal Government:  Within 24 hours of receiving a report, CISA will need to make the information available to “appropriate Sector Risk Management Agencies and other appropriate federal agencies.”  This interagency sharing is subject to specific requirements to be set by the President, including what agencies are to be included in the information sharing.  The FBI and Department of Justice, who had been vocal with their frustration about not being included as direct report recipients, are likely to be provided with reports through this provision. Information from the reports can also be shared with federal departments and agencies to identify and track ransom payments.  CISA will provide a monthly briefing to congressional leadership regarding the national cyber threat landscape.

Information Sharing Groups:  Anonymized information about context, threat indicators, and defensive measures will be shared with information sharing cyber groups, such as state and local governments, cyber incident response firms, and security researchers. 

Critical Infrastructure Owners and Operators:  Reported information can be shared, on a voluntary basis, between relevant critical infrastructure owners, particularly where such information relates to ongoing threats, a security vulnerability, or mitigation techniques that may allow entities to prevent cyber incidents.

General Public:  CISA can use information from significant incidents, including ransomware attacks, and “identify and disseminate ways to prevent or mitigate similar incidents in the future.”  A public, unclassified report will be published quarterly with “aggregated, anonymized observations, findings and recommendations”.

Protections for Reported Information

The Act provides for protection of the reported information in a variety of contexts.  There is a prohibition on the use of information obtained solely through reports submitted under the Act to regulate the reporting entity.  The submission of a report cannot serve as the basis for a cause of action.  Reports and documents relating to their preparation, drafting, or submission are not subject to discovery and cannot be received into evidence in a trial or proceeding.  Reporting will not constitute a waiver of any applicable privilege or protection provided by law.  Information in a report can be designated as commercial, financial, and proprietary information of the covered entity.  Reports will not be subject to Freedom of Information Act requests or any other public disclosure provision. 

What Critical Infrastructure Should Do Now

While CISA has not formally begun the rulemaking process that will make the reporting provisions mandatory, organizations should immediately. 

  • Consider whether, based on the guidance issued to date, they are part of the “critical infrastructure.”
  • Determine whether and when voluntary reporting might be appropriate before the requirement becomes mandatory.
  • Stay informed about the rulemaking process and consider submitting comments during the rulemaking process to provide feedback regarding any concerns resulting from the proposed reporting requirements and mechanics.
  • Review the company’s incident response plan and strategize with internal and external incident response resources about operationalizing a 72-hour (24-hour when a ransom payment is made) reporting requirement and a requirement to promptly supplement reports.
  • Analyze supplier and vendor cyber incident reporting requirements and consider revisions for key entities.

Orrick’s Cyber, Privacy, & Data Innovations team is ready to assist critical infrastructure entities in reviewing their cyber security programs in light of this announced reporting framework and designing practical, forward-thinking strategies to aid with reporting compliance.



[1] Subject to rulemaking by CISA.

[2] Subject to rulemaking by CISA.

[3] Subject to rulemaking by CISA.

[4] Subject to rulemaking by CISA.

[5] Subject to rulemaking by CISA.