The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) this week published a proposed rule that would require critical infrastructure sectors to report cybersecurity incidents to DHS.

Mandatory Cyber Incident Reporting Background and Summary

Congress in early 2022 passed the Cyber Incident Reporting for Critical Infrastructure Act, known as CIRCIA (“sir-see-ah”).

CIRCIA requires CISA to develop and issue regulations within 24 months requiring entities within critical infrastructure sectors, as defined by the federal government, to report any covered cyber incidents within 72 hours from when the entity reasonably believes the incident occurred. Such regulations, announced in proposed form this week and published for public comment, must be finalized within 18 months from now. The Food and Agriculture sector is considered a critical infrastructure sector by the U.S. government.

Comments on the proposed regulation, known as “Cyber Incident Reporting for Critical Infrastructure (CIRCIA) Reporting Requirements,” are due by June 3, 2024.

The proposed rule includes descriptions and applicability criteria for determining whether an entity is covered under CIRCIA and thus subject to the reporting requirements, including any exceptions to reporting. The rule also includes detailed descriptions of the manner, form, and content of cyber incident reports that CISA will require, including timing of submission, procedures, data required for inclusion, and penalties for noncompliance.

The rule also includes contemplation of expected costs for both industry and government to implement the statute.

CISA’s proposed rule can be found here.

Other CIRCIA Requirements

CIRCIA would also require any federal office that has received a report on a cyber incident to share that report with CISA within 24 hours. CISA will also have to make information received under CIRCIA available to certain federal agencies within 24 hours.

Finally, CIRCIA required DHS to establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate federal incident reporting requirements.

Regarding ransomware, CIRCIA required CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments made as a result of a ransomware attack. CISA must share these reports with other relevant federal agencies.

CISA must also establish a pilot program – the Ransomware Vulnerability Warning Pilot Program – to identify systems with vulnerabilities to ransomware attacks and may notify the owners of such systems.

CISA has also announced the launch of a Joint Ransomware Task Force, including the Federal Bureau of Investigation (FBI) and the Office of the National Cyber Director.

CISA Resources

CISA also maintains secure channels to report cyber incidents, including via [email protected] and (888) 282-0870. Further information about reporting cyber incidents can be found here.