CIRCIA: Cyber Incident Reporting for Critical Infrastructure

CIRCIA requires critical infrastructure organizations to report substantial cyber incidents and ransom payments. Read more about the new law

Cyber Incident Reporting for Critical Infrastructure Act, or simply CIRCIA, was passed into law in March of 2022. The Act targets organizations operating in the 16 critical infrastructure sectors obligating them to report substantial cyber incidents to Cybersecurity & Infrastructure Security Agency (CISA). The main message of the document is more than clear.

First, critical infrastructure organizations must report substantial cyber incidents to CISA. The time span for the reporting is no more than 72 hours after the incident has occurred.

Second, covered entities must report all ransom payments made as a result of ransomware attacks within 24 hours after any such payment. 

At the same time, the CIRCIA’s rulemaking process is still ongoing. CIRCIA requires the director of CISA to publish proposed rules implementing the reporting requirements within 24 months from CIRCIA’s enactment, or by no later than March 2024. Final rules must be published within 18 months of the proposed rules, or by no later than September 2025.

CIRCIA Aims to Minimize the Critical Infrastructure Incidents 

The principal goal of the CIRCIA is more than tracking data incidents within the critical infrastructure. The Act empowers CISA to gather, evaluate, and analyze information related to system infiltrations that may lead to widespread system threats. The data CISA will collect for this purpose is meant to help stop the spread of cyber attacks by identifying threat actors and helping build defenses against their attack methods. Intelligence gained will then be shared publically to enable other organizations to protect their data and systems and block new threats.

The CIRCIA’s Rulemaking Process is Still Ahead

At present, the general wording of the Act leaves some space for interpretation. For instance, some of the Act’s statements, like covered entities must file a report for a significant cyber incident within 72 hours—after they reasonably believe a qualifying incident has occurred’ – leaves more questions than answers. After reading such wordings, many businesses beyond critical infrastructure are reasonably wondering which organizations could be considered covered entities. Or, what incidents should be qualified as “significant”? And how will the “reasonable belief” be defined?

Actually, the lawmakers have more than two years to address these questions before the reporting requirements go into effect. The deadline for developing new regulations that will fulfill the Act will come up in March 2024, with the subsequent 18 months for finalization.  

Within the rulemaking process, CIRCIA requires CISA to develop and publish a Notice of Proposed Rulemaking (NPRM) and a Final Rule. The former is expected to be opened for public comments, so critical infrastructure owners and other interested entities will be able to comment on it. CISA is also mandated to consult with appropriate Federal agencies and form a Cyber Incident Reporting Council. 

Thus, a long-lasting rulemaking process is still ahead. However, given the increasing cyber threat landscape, it is highly likely that CISA will accelerate efforts to help reduce overall threats and mitigate potential losses.

Critical Infrastructure Organizations are not the Only CIRCIA’s Covered Entities

While most of CIRCIA’s definitions are left to the ongoing rule-making process, we will try to explain some details of the act by reading between the lines. 

The first and the most logical question arising after reading the Act is who are, actually, the “covered entities”. The CIRCIA’s formulation – “covered entities operating in the critical infrastructure sectors” – unambiguously points to businesses engaged in the 16 critical infrastructure sectors, identified in Obama’s 2013 Presidential Policy Directive. These include information technology, financial services, telecommunications, energy, healthcare, and others. And these companies are already aware they will be subject to the law and new reporting requirements. 

However, organizations that operate as critical infrastructure organizations’ subcontractors, vendors, and suppliers are still waiting for an explanation. The final decision on CIRCIA’s covered entities remains with CISA, but there are reasons to believe that it will likely include subcontractors, vendors, and/or suppliers that exchange data or share technology with a critical infrastructure organization. All such organizations should pay close attention to the regulation development process. Preparing for new information protection responsibilities is also necessary as they may be needed in order to comply with the new law.

Substantial Cyber Incidents to be Reported

If it seemed to you that the definition of “covered cyber incident” is way too general, then you are right. It is also still unclear what incidents are required to be reported.

CIRCIA provides guidance about the types of incidents for reporting. These will likely include any incident that jeopardizes an information system or the information contained in such a system. Besides this, a covered cyber incident under CIRCIA must be “substantial”, which entails at a minimum:

  • a substantial loss of confidentiality, integrity, or availability of an affected information system or network. A serious impact on the safety and resiliency of operational systems and processes.
  • disrupt business or industrial operations due to a DDoS attack, ransomware attack, exploitation of a zero-day vulnerability, etc; and/or
  • involve “unauthorized access to or disruption of business or industrial operations” caused by the compromise of a cloud service provider, other third-party data hosting provider, or by a supply chain compromise.

The act recommends considering the tactics the attackers used, the type of data at issue, the number of individuals potentially affected, and the potential impact of the incident on industrial control systems to determine the incident’s classification. 

It is expected to be a broad and highly detailed list of the potential covered cyber incidents, isn’t it? With these recommendations, CIRCIA aims to achieve two goals. First, it prompts to reconsider the security hygiene of critical systems. Second, it will help monitor the incident trends and ensure CISA can effectively identify and promote threat elimination strategies. 

Payments Made in Result of the Ransomware Attack to be Reported  

Unlike the “covered entities” and “covered cyber incidents”, the ransom payment reporting obligations are pretty clear.

The “ransom payment” under CIRCIA is the “transmission of any money or other property or asset”. This asset may even include a virtual currency” that has been delivered as ransom.

A “ransomware attack,” in turn, is defined as an incident that includes the use of unauthorized or malicious code. It may also include some other mechanism “to interrupt or disrupt” the operations of an information system or to compromise the data on an information system “to extort a demand for a ransom payment.”

Remember that the timing for the ransom payments reporting must be completed within 24 hours after any such payment. 

Notably, CIRCIA limits the ransomware reporting requirement to payments made as a result of ransomware. In other words, the covered entities will not be required to report ransom payments made in response to other types of cyber extortion. For instance, if an attacker downloaded data from an unsecured cloud account and demanded payment, such a payment would not be reportable. 

At the same time, CIRCIA states that a ransom payment may trigger the notification requirement even if the ransomware attack does not belong to the covered cyber incidents. 

CIRCIA Enforcement Provisions

CIRCIA endows CISA with its first-ever enforcement powers, albeit they are limited.

If CISA has reason to believe that a company failed to report a cyber incident or a ransom payment, it may request additional information to determine whether such an incident or payment occurred. If the company fails to provide this information, CISA may refer the matter to the Department of Justice for civil action. The matter may potentially include contempt of court proceedings.

So, What Should Critical Infrastructure Entities Be Doing Now?

Once CIRCIA’s final regulations are implemented, covered organizations will be required to meet the stringent incident reporting obligations. The ongoing rulemaking process, however, should not delay preparatory actions. Companies in the critical infrastructure sectors should use this time to review their incident response plans. It is essential to ensure that their teams are prepared to react efficiently when cyber incidents and attacks occur. 

Thus, use the current Act’s contains detailed guidance about the types of incidents that should be reported. It also contains types of information that should be included in those reports. 

Check your readiness to report now, to be able to react efficiently in the future, and feel free to contact Planet 9 if you have any questions. We’ll be happy to assist!



Phone:  888-437-3646


Leave a Reply