The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published its long-awaited cyber incident reporting rule today for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), requesting public input on the forthcoming regulations.
CISA posted the Notice of Proposed Rulemaking (NPRM) to the Federal Register on March 27 for public inspection, and it will officially publish the proposed rule on April 4. The public will then have 60 days to submit written comments to help inform the final rule – which it expects to publish within 18 months of the close of the comment period.
CIRCIA – signed into law by President Biden in March 2022 – requires CISA to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments to the government.
Under the law, critical infrastructure owners and operators are obligated to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments they made to attackers within 24 hours.
“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” CISA Director Jen Easterly said in a statement.
“It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats,” Easterly added. “We look forward to additional feedback from the critical infrastructure community as we move towards developing the final rule.”
According to the proposed rule, the “covered entities” that must comply with these cyber reporting requirements include those that are larger than the small business size standard, and those that operate in a critical infrastructure sector.
CISA expects the proposed rule to cost $2.6 billion over an 11-year period beginning in 2023, including $1.4 billion for industry compliance and $1.2 billion for government implementation.
The agency expects 316,244 organizations to be affected by the rule, who will submit an estimated 210,525 reports during this period. The organizations will submit the reports through a single, web-based form.
During a briefing with reporters today on the proposed rule, a senior CISA official acknowledged that the fiscal year (FY) 2024 budget “came in a little bit less than our request for CIRCIA-related funding, and so we’ll be working through exactly what that means.”
Specifically, the FY2024 budget included $73.9 million to implement CIRCIA requirements, a $23.8 million decrease from the White House’s request.
“At the end of the day, this agency is committed to being prepared and ready when the rule goes live that we can implement it fully – and I expect that to be the case,” the senior CISA official said. “I don’t think we will be looking for a new funding model … but we will ensure that we have the right resources in place to leverage this program to achieve its important goals.”
The senior CISA official also noted that the agency does not plan to notify every single organization if they are a covered entity. “We believe that any individual company will be able to determine for themselves that they are,” they said.
Additionally, the senior CISA official teased that the agency is working on developing a longer-term plan for how it would make anonymized information available to researchers.
“We recognize that Congress gave us the mandate to receive these reports from covered critical infrastructure owners and operators, but really we see this legislation and implementation as a two-way street,” a senior DHS official added. “We as a department must provide value back to the country and the cybersecurity community because of this reporting and influx of information that we receive.”
The NPRM comes after a two-year process in which CISA gathered input from public and private sector stakeholders. The agency received comments through a September 2022 request for information (RFI) and multiple public listening sessions.
