The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) this week announced a 30-day extension to the comment period for a proposed rule that would require critical infrastructure industries to report cyber incidents within a given timeframe.

The proposed rule, known as the Cyber Incident Reporting for Critical Infrastructure (CIRCIA) Reporting Requirements, was initially published on April 4 and comments were due by June 3, 2024. That comment deadline is now moved back to July 3, 2024. CISA’s official notice of the comment period extension can be found here.

Congress in early 2022 passed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which required CISA to develop and issue regulations within 24 months requiring entities within critical infrastructure sectors, as defined by the federal government, to report any covered cyber incidents within 72 hours from when the entity reasonably believes the incident occurred. Such regulations, now available for public comment, must be finalized within 18 months. The Food and Agriculture sector is considered a critical infrastructure sector by the U.S. government.

The proposed rule includes applicability criteria for determining whether an entity is covered under CIRCIA and thus subject to the requirements. These criteria note that meat and poultry processors with over 500 employees are covered entities and must comply with the regulation once implemented.

The rule also includes detailed descriptions of the manner, form, and content of cyber incident reports, including timing of submission, procedures, data required for inclusion, and penalties for noncompliance.

The rule also includes contemplation of expected costs for both industry and government to implement the regulations.

CIRCIA would also require any federal office that has received a report on a cyber incident to share that report with CISA within 24 hours. CISA will also have to make information received under CIRCIA available to certain federal agencies within 24 hours. CIRCIA required DHS to establish and chair an intergovernmental Cyber Incident Reporting Council to coordinate federal incident reporting requirements.

Regarding ransomware, CIRCIA required CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments in a ransomware attack. CISA must share these reports with other relevant federal agencies. CISA will also establish the Ransomware Vulnerability Warning Pilot Program and has launched the Joint Ransomware Task Force, with participation from the FBI and the National Cyber Director.