President Joe Biden recently signed into law the Cyber Incident Reporting For Critical Infrastructure Act of 2022. This new law updates the Federal Information Security Modernization Act (FISMA). The act adds responsibilities for federal agencies and the Cybersecurity & Infrastructure Security Agency (CISA) to protect federal networks, funds and supports cloud-focused jobs in the federal space, and most importantly for businesses, creates federal notification requirements for “covered entities.”
Who is covered by the act?
“Covered entities” are covered by the definition of “critical infrastructure” in the 2013 Presidential Policy Directive/PPD-21 on Critical Infrastructure Security and Resilience. This definition may be limited by the final rulemaking by CISA. However, even if narrowed down, “covered entities” could include a broader swath of potential businesses beyond just power generation. For an example of how broad critical infrastructure has become, see the Critical Infrastructure Workers’ Guidance for COVID 19 (pdf).
What are the act’s reporting requirements?
Section 2242 of the bill requires notification of CISA within 72 hours after the discovery of a cyber incident and requires notification of any ransom payments made within 24 hours. Although the details of what will be required in these reports will be subject to later rulemaking, companies must at a minimum include a description of the incident and its impact, vulnerabilities exploited, contact information, and categories of information that could have been accessed or acquired by a threat actor.
How will the new law be enforced?
The bill provides subpoena and civil action power for the U.S. Attorney General to enforce the act and ensure compliance. Importantly, the act treats all information collected under this reporting scheme as part of information in the Cybersecurity Information Sharing Act of 2015, explicitly prohibits the use of information collected through this process in regulatory actions, and provides a liability shield for civil suits for those who report.
This safe harbor is likely an attempt to achieve the goal of the act, which CISA Director Jen Easterly described as, “to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure.” She continued by stating that the information derived from this reporting “…will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”
How can I prepare for these requirements?
The new reporting rules are not effective until CISA rulemaking defines “covered entities” and the types of cyber incidents the law covers. CISA has 24 months to issue a notice of proposed rulemaking, but likely will act quickly to start the regulatory process.
With at the most two years of lead time, critical infrastructure operators should watch for updates during CISA’s rulemaking process and take steps now to review and update their incident response policies and procedures. Woods Rogers Cybersecurity & Data Privacy attorneys recommend working with outside counsel to craft appropriate procedures that will satisfy regulatory requirements.