What Critical Infrastructure Should Do: Mandatory Cybersecurity Incident Reporting for Critical Infrastructure is Coming and CISA Encourages Voluntary Reporting Now | Orrick, Herrington & Sutcliffe LLP

The Cybersecurity and Infrastructure Security Agency (“CISA”) released a “Sharing Cyber Event Information” Fact Sheet on April 7 that may preview its implementation of the new federal government cyber incident reporting requirement signed into law on March 15—the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Section Y within the Consolidated Appropriations Act). Many key details of the reporting requirement are subject to future rulemaking by CISA, including the critical infrastructure organizations to which the reporting requirements will apply; what cyber incidents must be reported (i.e., “substantial” cybersecurity incidents); what information critical infrastructure organizations will have to report; and the mechanics of submitting the reports.  The critical infrastructure industry has time to prepare as the reporting requirement will not take effect until the rulemaking process has been completed, although CISA encourages voluntary reporting now.  Although the proposed rules are required to be issued in the rulemaking progress within 24 months, with the final rule due 18 months thereafter, organizations should anticipate that CISA will move more quickly, and that the final rule could be issued as early as early 2023.

Statutory Framework and CISA’s Recommendations for Current Reporting Under its Fact Sheet

The statute provides a framework that gives a picture of what can be expected when the reporting requirement becomes mandatory.  While CISA has not yet started the rulemaking process, the CISA Fact Sheet provides recommendations for voluntary reporting starting now.

The statute also imposes a duty to preserve data relevant to the covered incident or ransom payment in accordance with the final rule.

Enforcement Mechanism

The Act includes an enforcement mechanism, which is new to CISA which previously had no relevant enforcement powers and/or subpoena powers.  It now gets both.  Specifically, if the CISA Director has reason to believe that a covered entity failed to submit a required report, the Director may obtain information about the covered cyber incident or ransom payment by engaging the covered entity directly.  If after 72 hours, no response or an inadequate response is received, then CISA may seek the information via a subpoena.  If an entity fails to comply with a subpoena, CISA can refer the matter to the Attorney General to bring a civil action. The enforcement action and subpoena powers do not apply to covered entities that are State, local, Tribal or territorial government entities.

If the Director determines that information provided in response to a subpoena may constitute grounds for a regulatory or criminal action, then the Director may provide such information to the Attorney General or head of the applicable regulatory agency.  By contrast, the information contained in a voluntary report or in response to direct inquiry from CISA cannot be used as the basis for such actions.

Information Sharing Provisions

Information received in the reports will be processed and shared by CISA with a number of different groups.

Federal Government:  Within 24 hours of receiving a report, CISA will need to make the information available to “appropriate Sector Risk Management Agencies and other appropriate federal agencies.”  This interagency sharing is subject to specific requirements to be set by the President, including what agencies are to be included in the information sharing.  The FBI and Department of Justice, who had been vocal with their frustration about not being included as direct report recipients, are likely to be provided with reports through this provision. Information from the reports can also be shared with federal departments and agencies to identify and track ransom payments.  CISA will provide a monthly briefing to congressional leadership regarding the national cyber threat landscape.

Information Sharing Groups:  Anonymized information about context, threat indicators, and defensive measures will be shared with information sharing cyber groups, such as state and local governments, cyber incident response firms, and security researchers. 

Critical Infrastructure Owners and Operators:  Reported information can be shared, on a voluntary basis, between relevant critical infrastructure owners, particularly where such information relates to ongoing threats, a security vulnerability, or mitigation techniques that may allow entities to prevent cyber incidents.

General Public:  CISA can use information from significant incidents, including ransomware attacks, and “identify and disseminate ways to prevent or mitigate similar incidents in the future.”  A public, unclassified report will be published quarterly with “aggregated, anonymized observations, findings and recommendations”.

Protections for Reported Information

The Act provides for protection of the reported information in a variety of contexts.  There is a prohibition on the use of information obtained solely through reports submitted under the Act to regulate the reporting entity.  The submission of a report cannot serve as the basis for a cause of action.  Reports and documents relating to their preparation, drafting, or submission are not subject to discovery and cannot be received into evidence in a trial or proceeding.  Reporting will not constitute a waiver of any applicable privilege or protection provided by law.  Information in a report can be designated as commercial, financial, and proprietary information of the covered entity.  Reports will not be subject to Freedom of Information Act requests or any other public disclosure provision. 

What Critical Infrastructure Should Do Now

While CISA has not formally begun the rulemaking process that will make the reporting provisions mandatory, organizations should immediately. 

• Consider whether, based on the guidance issued to date, they are part of the “critical infrastructure.”
• Determine whether and when voluntary reporting might be appropriate before the requirement becomes mandatory.
• Stay informed about the rulemaking process and consider submitting comments during the rulemaking process to provide feedback regarding any concerns resulting from the proposed reporting requirements and mechanics.
• Review the company’s incident response plan and strategize with internal and external incident response resources about operationalizing a 72-hour (24-hour when a ransom payment is made) reporting requirement and a requirement to promptly supplement reports.
• Analyze supplier and vendor cyber incident reporting requirements and consider revisions for key entities.

Orrick’s Cyber, Privacy, & Data Innovations team is ready to assist critical infrastructure entities in reviewing their cyber security programs in light of this announced reporting framework and designing practical, forward-thinking strategies to aid with reporting compliance.

Comments are closed.