The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is a significant piece of legislation passed in 2022, designed to tackle cyber incidents affecting critical infrastructure. While its full impact is still unfolding, CIRCIA presents new requirements for incident reporting that cyber risk professionals need to understand and prepare for.
CIRCIA was created to help the U.S. government coordinate responses to major cyber incidents that affect essential services. Its goal is simple: improve cybersecurity across critical sectors and ensure timely incident reporting so that appropriate measures can be taken to mitigate the harm. This is not about adding another layer of business regulation; instead, CIRCIA is a key part of defending national security.
Let's start with what the law requires. Under CIRCIA, any covered entity that experiences a substantial cyber incident must report it to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of reasonably believing an incident occurred. If a ransomware payment is made, a report must be submitted within 24 hours. These timelines are tight, especially considering that many organizations take much longer to identify and fully assess an incident.
[RELATED: New DHS Rules Aim to Enhance Visibility Across Critical Infrastructure]
But first, what is a covered entity? CIRCIA focuses on critical infrastructure, which is defined across 16 sectors, including energy, healthcare, financial services, water systems, transportation, and IT. If your organization operates within one of these sectors, you are likely considered a covered entity. It's important to note that smaller businesses may be excluded, but any large organization within these sectors will be subject to the new reporting rules.
Now, what's a "substantial" cyber incident? That's where things get a little tricky. CIRCIA defines a substantial cyber incident as one that causes significant loss of confidentiality, integrity, or availability of a system or network, or one that seriously impacts the safety and resiliency of a covered entity's operations—it's not just a minor disruption. The law points specifically to situations like major ransomware attacks, data breaches facilitated by third-party providers, and supply chain compromises. This makes it clear that the focus is on incidents that pose a serious threat, not on small, everyday cyber issues like phishing attempts or minor vulnerabilities.
CIRCIA also requires reporting on any ransomware payments made. Even if the ransomware attack itself does not meet the threshold for being a "substantial” incident, the fact that a payment was made triggers a mandatory report to CISA. This provision aims to give the government better visibility into the scope of ransomware activity, which has been growing rapidly in recent years. And to streamline things, if both a cyber incident and a ransom payment occur, a joint report can be submitted.
The law is not just concerned with getting reports. It also wants to make sure the information is used correctly and protected. CISA can use the information provided in five key ways:
1. For cybersecurity purposes
2. To identify threats and vulnerabilities
3. To prevent or mitigate serious economic harm or bodily harm
4. To investigate threats to minors
5. To prosecute cybercrime, including fraud and espionage
Outside these uses, CISA is prohibited from sharing or using the information in ways that would harm the reporting entity. This includes protections from being penalized or subject to regulatory action based solely on the incident report. The goal is to encourage openness and transparency in reporting without fear of retribution.
But here's the catch: filing these reports will take some serious work. The law specifies that entities must provide detailed information about the incident, including:
1. The systems affected
2. The nature of the attack
3. Any unauthorized access
4. Steps taken to mitigate the damage
It even requires details about third-party providers that might have been involved. That means organizations will need to document their incidents thoroughly and be ready to submit updates until the situation is fully resolved.
Additionally, covered entities that don't meet their reporting obligations could face fines, and they must also preserve records related to an incident for up to five years. This makes it essential for organizations to not only respond to incidents but also keep good records and ensure that incident reports are complete and accurate.
So, what should you do to prepare for CIRCIA?
First, you'll need to assess whether your organization falls within the scope of the law. If you're in one of the 16 critical infrastructure sectors and meet the size thresholds, you're likely covered. Work with your legal team to confirm this.
[RELATED: White House Sets New Strategy for Securing U.S. Critical Infrastructure]
Second, update your incident response plans. Make sure they reflect the new reporting requirements, especially the tight 72-hour window for incident reporting. This will likely require coordination across multiple teams in your organization, from IT and security to legal and compliance.
Third, develop a process for determining when an incident is "substantial." The definition provided by CIRCIA is broad, so it's critical to establish internal guidelines that help you assess whether an incident meets the reporting threshold. You don't want to over-report minor issues, but you also don't want to fail to report something that CISA would consider substantial.
Finally, be ready to handle ransom payment reporting. Even if you've never paid a ransom before, it's important to have a plan in place for how you would handle a ransomware attack and ensure compliance with the 24-hour reporting requirement if a payment is made.
The good news is that CISA is committed to helping organizations navigate this new requirement. And while CIRCIA reporting may seem like an additional burden, it's really about improving overall national security. As cyber incidents become more common and more damaging, it's essential that the government and critical infrastructure organizations work together to respond quickly and effectively.
All internet users should want much better digital protection than we have today. Filing reports is a necessary step in that direction.
In the end, CIRCIA is about making sure the country can respond to the growing threats that cyberattacks pose to our critical infrastructure. And for cyber risk management professionals, that means doing your homework now to be ready for when these rules take full effect.