Cyber reporting for critical infrastructure:

CISA proposal raises many questions, invites comments

On March 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) issued a long-awaited proposed rule to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The 447-page draft, if adopted as proposed, would require prompt reporting of cyber incidents and ransomware payments from an estimated 316,244 affected entities spanning 16 critical infrastructure sectors — including chemical, communications, energy, financial services, food and agriculture, healthcare, information technology and transportation.

On April 30, 2024, the White House rescinded and replaced Presidential Policy Directive 21 (PPD-21) with the National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22), which now serves as the authoritative guideline. NSM-22 aligns the government around what will be a covered entity. While the general framework has been maintained, including the designation of the 16 critical infrastructure subsectors, NSM-22 expands CISA’s oversight roles, highlights the need for operational collaboration, expands the definition of critical infrastructure assets and prioritizes minimum requirements for risk management.

The aim is to help CISA more effectively identify threat patterns in real time, fill critical information gaps, deploy resources rapidly to help cyber attack victims and alert others who are potentially affected. More broadly, it supports the fundamental policy goal of CIRCIA — to protect US national security, economic security and public health and safety through a coordinated approach for understanding cyber incidents across critical infrastructure sectors. Such an approach can help address blind spots that can exist in the current landscape of specialized and often sector-specific cyber reporting requirements from an array of federal, state and local authorities.

To meet the regulatory goal of obtaining timely reports of cyber incidents at sufficient scale to identify patterns and provide early warnings, the proposed rule would require an expansive group of covered entities to report cyber incidents within a 72-hour window. Reporting of ransom payments would be due within 24 hours after payment is disbursed.

CISA is seeking public input on the proposal. Comments are due 90 days after the proposal was published in the federal register on April 4, 2024. The comment period for the proposed rule was extended from June 3, 2024 to July 3, 2024.

Although subject to change based on this input, the measure sets the contours of regulatory expectations and makes clear the extent of its potential reach. What’s less clear is how to resolve the many questions raised by the details in this mammoth proposal.

Affected organizations should seek answers to these questions, assess their potential exposure and prepare for the burden of a new, more stringent and potentially duplicative cyber disclosure regime. Start by engaging with CISA and industry peers to address areas of concern and ambiguity.

What companies are subject to CISA reporting?

NSM-22 defines “critical infrastructure” as the essential physical and virtual assets and systems that are extremely important for the country and would have a severe negative impact on national security, economic security or public health and safety if they were disabled or destroyed. Critical infrastructure consists of distributed networks, different organizational structures, various operating models, interconnected systems and governance constructs. Under CIRCIA, entities within this defined critical infrastructure are recognized as “covered entities,” subject to specific cyber reporting and management requirements.

In addition to critical infrastructure organizations, NSM-22 includes "systemically important entities" (SIEs). These are entities whose infrastructure is crucial, and if disrupted or not working properly, would have significant negative effects on national security, economic security and public health or safety. CISA will work with other federal agencies to create the list of SIEs, which will not be made available to the public.

CISA anticipates that the process for an entity to determine if it falls within a critical infrastructure sector will typically be straightforward. For example, entities engaged in or facilitating transportation, such as airplane or car manufacturers, airport and train station operators, and trucking companies, can readily self-identify as being in the transportation services sector. Banks, credit unions, credit card companies, registered broker-dealers and other entities providing financial services can similarly self-identify as being in the financial services sector.

What does the rule say?

Where self-identification is less clear, the proposed rule explicitly applies to an entity in a critical infrastructure sector that either exceeds the small business size standard in the Small Business Administration’s regulations or meets one or more sector-based criteria in proposed §226.2(b), regardless of the entity’s size.

The sector-based criteria proposed for chemical companies, for instance, would capture any entity that owns or operates a CFATS-covered chemical facility. The sector-based criteria for healthcare and public health organizations would include, among others, entities that manufacture any Class II or III medical device.

Guidance on sector-based criteria

To justify subjecting smaller entities to CIRCIA reporting if they meet any of these sector-based criteria, CISA reasoned:

[A]n entity’s size does not necessarily reflect its criticality. Some entities in a critical infrastructure sector that fall below the proposed size-based thresholds own or operate systems or assets that would be likely to meet the definition of critical infrastructure set forth by 42 U.S.C. 5195c(e). One of the main purposes of this regulatory program authorized by CIRCIA is to enhance the security and resiliency of critical infrastructure, and therefore, receiving [reports] from as many entities that own or operate critical infrastructure as possible is imperative to meet this directive.

In applying these sector-specific criteria, CISA proposes that the covered entity is “the entire entity … not the individual facilities or functions” that meet the sector-specific criteria. Consequently, a substantial cyber incident experienced by a noncritical part or facility of a covered entity would still need to be reported.

Questions to consider

  • Is your sector considered critical infrastructure under NSM-22?
  • If it is considered critical infrastructure, do you have sufficient information to determine if your organization is a covered entity?
  • Regardless of your organization’s size, would it be considered a covered entity because it meets one or more sector-based criteria in proposed §226.2(b)?
  • Is additional clarity needed to determine whether your organization is a covered entity?

What cyber incidents must be reported?

CIRCIA requires CISA to define the term “covered cyber incident” in its proposed rule. Because the statute requires that covered entities report only those incidents that qualify as covered cyber incidents to CISA, this definition is essential for triggering the reporting requirement. CISA is proposing to define covered cyber incident to mean “a substantial cyber incident experienced by a covered entity.”

In turn, the proposed rule defines “substantial cyber incident” to mean a cyber incident that leads to any of the following:

  1. Substantial loss of confidentiality, integrity or availability of a covered entity’s information system or network.
  2. Serious impact on the safety and resiliency of a covered entity’s operational systems and processes.
  3. Disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services.
  4. Unauthorized access to a covered entity’s information system or network — or any nonpublic information it contains — that’s facilitated through or caused by a compromise of a cloud service provider, managed service provider or other third-party data hosting provider or by a compromised supply chain.

The fourth item above is significant in that unauthorized access alone — without resulting in the impacts described in items 1-3 — would qualify as a substantial cyber incident if it’s facilitated through or caused by a third-party provider or supply chain breach. Given the pervasive use of third-party services across all sectors, this provision could pose unique challenges in determining whether a reportable incident has occurred.

Excluded events

CISA proposes to exclude three events from its definition of substantial cyber incident.

  • Any lawfully authorized activity of a federal, state or local government entity, including activities undertaken pursuant to a warrant or other judicial process.
  • Any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system.
  • A threat of disruption as extortion, as described in 6 U.S.C. §650(22).

This last exclusion clarifies that the threat of a system’s disruption to extort a ransom payment that doesn’t result in actual disruption is an imminent but not “actual” event, and therefore need not be reported.

Illustrative examples

To help covered entities determine what might and might not qualify as a substantial cyber incident, CISA offers this non-exhaustive list of examples.

Incidents that likely would qualify as substantial cyber incidents

Incidents that likely would NOT qualify as substantial cyber incidents

A distributed denial-of-service attack rendering a covered entity’s service unavailable to customers for an extended period of time. A denial-of-service attack or other incident that only results in a brief period of unavailability of a covered entity’s public-facing website that does not provide critical functions or services to customers or the public.
 
Any cyber incident that encrypts one of a covered entity’s core business systems or information systems. Cyber incidents that result in minor disruptions, such as short-term unavailability of a business system or a temporary need to reroute network traffic.
 
A cyber incident that significantly increases the potential for a release of a hazardous material used in chemical manufacturing or water purification. The compromise of a single user’s credential, such as through a phishing attempt, where compensating controls (such as enforced multifactor authentication) are in place to preclude use of those credentials to gain unauthorized access to a covered entity’s systems.
 
A cyber incident that compromises or disrupts a bulk electric system (BES) cyber system that performs one or more reliability tasks. Malicious software is downloaded to a covered entity’s system, but antivirus software successfully quarantines the software and precludes it from executing.
 
A cyber incident that disrupts a communications service provider’s ability to transmit or deliver emergency alerts or 911 calls, or results in the transmission of false emergency alerts or 911 calls. A malicious actor exploits a known vulnerability, which a covered entity has not been able to patch but has instead deployed increased monitoring for tactics associated with its exploitation, resulting in the activity being quickly detected and remediated before significant additional activity is undertaken.
 
The exploitation of a vulnerability resulting in the extended downtime of a covered entity’s information system or network.
 
 
A ransomware attack that locks a covered entity out of its industrial control system.
 
 
Unauthorized access to a covered entity’s business systems caused by the automated download of a tampered software update, even if no known data exfiltration has been identified.
 
 
Unauthorized access to a covered entity’s business systems using compromised credentials from a managed service provider.
 

 
The intentional, unauthorized exfiltration of sensitive data for an unauthorized purpose, such as through compromise of identity infrastructure or unauthorized downloading to a flash drive or online storage account.
 
 

Questions to consider

  • Is there enough clarity around the four proposed thresholds for a “substantial cyber incident?”
  • Who in your organization will determine whether a substantial cyber incident has occurred?

  • Would you be able to promptly determine whether your cloud service provider, managed service provider or other third-party data hosting vendor experienced a reportable breach?

  • How can you gain better visibility into third-party and supply chain breaches?

When are CISA reports due?

CIRCIA requires covered entities to report to CISA covered cyber incidents within 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred, and ransom payments made in response to a ransomware attack within 24 hours after the payment has been disbursed.

What constitutes a reasonable belief?

CISA acknowledges that the point at which a covered entity should have “reasonably believed” a covered cyber incident occurred is subjective and will depend on the specific factual circumstances. Accordingly, the agency isn’t proposing a definition of the term “reasonably believes,” nor does it try to prescribe a specific point in the incident life cycle when a “reasonable belief” will always be realized. Rather, CISA is providing guidance to help covered entities understand when a “reasonable belief” might be expected to have occurred.

CISA doesn’t expect a covered entity to have reached a “reasonable belief” that a covered cyber incident happened immediately upon its occurrence, although this can happen (e.g., when an entity receives a ransom demand simultaneously with discovery that it’s been locked out of its system). An entity may need to perform some preliminary analysis before coming to a reasonable belief that a covered incident occurred. Preliminary analysis may be necessary, for instance, to quickly rule out certain benign causes or determine the extent of the incident’s impact. CISA believes that in most cases, this analysis should be relatively quick (i.e., hours, not days) before a reasonable belief can be obtained, and generally would occur at the subject matter expert level and not the executive officer level. As time is of the essence, the agency expects a covered entity to engage in this preliminary analysis as soon as reasonably practicable after becoming aware of an incident.

Joint reports

A covered entity that experiences a covered cyber incident and makes a ransom payment within 72 hours after it reasonably believes a covered cyber incident has occurred may submit a joint covered cyber incident and ransom payment report to CISA within 72 hours after it reasonably believes the incident has occurred.

Supplemental reports

A covered entity must promptly submit supplemental reports to CISA once it becomes aware of substantial new or different information regarding a previously reported incident. “Substantial new or different information” includes but isn’t limited to any information that the covered entity was required to provide as part of a covered cyber incident report but did not have at the time of submission. This obligation continues unless and until the covered entity notifies CISA that the incident in question has been fully mitigated and resolved.

CIRCIA requires supplemental reports be submitted “promptly,” which CISA interprets as within 24 hours of the triggering event. If a covered entity submits a supplemental report on a ransom payment made after the covered entity submitted a covered cyber incident report, as required by §226.3(d)(1)(ii), it must submit the supplemental report within 24 hours after disbursing the ransom payment.

Questions to consider

  • Do you have the process and capabilities to deliver CISA reports within the proposed time frames?
  • How would the 72-hour reporting requirement affect your engagement with other regulators or government agencies?
  • Does CISA provide enough clarity on the definitions of “substantial cyber incident” and “reasonable belief” to make disclosure decisions within 72 hours?
  • Who in your organization will determine “reasonable belief?”

Is CISA reporting harmonized with other cyber disclosure requirements?

Congress sought to reduce the compliance burden of filing duplicative cyber reports to multiple federal agencies. Under CIRCIA, a covered entity that’s required by law, regulation or contract to report substantially similar information on a covered cyber incident or ransom payment to another federal agency in a substantially similar timeframe doesn’t have to submit a CIRCIA report if CISA has an information-sharing agreement and mechanism in place with the other agency. The law similarly excludes duplicative supplemental reports to CISA.

What does the rule say?

The proposed rule would implement this harmonization mandate in §226.4. That provision would create an exception for a covered entity that’s required to report “substantially similar information within a substantially similar timeframe” to another federal agency, if that agency has an information-sharing agreement in place with CISA.

The proposal sets parameters around when CISA will accept a report made to another agency in satisfaction of CIRCIA’s reporting requirements. Specifically, CISA will enter into an information-sharing agreement with a federal agency — defined in the proposal as a “CIRCIA agreement” — when CISA has determined the agency requires cyber incident reporting on “substantially similar information in a substantially similar timeframe” and the agency has “committed to providing the covered entity’s report to CISA within the relevant deadlines.” CISA commits to working in good faith with other federal agencies to have CIRCIA agreements in place before the final rule’s effective date.

NSM-22 maintains previously stated approaches to achieve harmonization and appoints a National Coordinator and Sector Risk Management Agencies (SRMAs) to synchronize the risk reporting cycle to improve efficiency and reduce duplication of effort.

Will it work in practice?

Whether this commitment will result in actual harmonization of duplicative reports is unclear. Citing its involvement in harmonization efforts by the Cyber Incident Reporting Council (CIRC), which developed a model definition of a reportable cyber incident, CISA observes that CIRCIA reporting requirements are different from, or more stringent than, most existing requirements — including in some respects the CIRC model definition. “While many of the regulations CISA reviewed have some similarities in how they define and interpret what is a reportable cyber incident, the specific language, structure, examples, and actual requirements varied greatly based on the specific agency mission and purpose of the regulation,” CISA noted.

The most effective approach to harmonization, CISA concludes, is for other agencies to use CIRC’s model definition of a reportable cyber incident to the extent possible by revisiting current rules or applying it in future rule-making.

Questions to consider

  • What are potential approaches to harmonizing CIRCIA’s reporting requirements with other existing federal, state or local laws, regulations, directives or similar policies that require disclosure of cyber incidents or ransom payments?
  • How can CISA reduce actual, likely or potential duplication or conflict between CIRCIA reporting and other federal, state or local requirements?
  • What are concrete examples from other laws, regulations, directives and policies that conflict with CIRCIA?
  • What are concrete examples of the burden that comes from fulfilling duplicate reporting requirements and where harmonization matters most?

What enforcement tools does CISA have?

As authorized by CIRCIA, the proposed rule creates enforcement mechanisms for CISA to obtain information from a covered entity about a covered cyber incident or ransom payment that the entity failed to report. These powers include issuing a request for information (RFI), issuing a subpoena to compel disclosure, making a referral to the US attorney general for a civil enforcement action and initiating acquisition, suspension and debarment procedures against entities that do business with the federal government.

Requests for information

CISA could issue an RFI to a covered entity if there’s reason to believe that the entity experienced a covered cyber incident or made a ransom payment but failed to report it. “Reason to believe” that a covered entity failed to submit a CIRCIA report may be based on public reporting or other information in the government’s possession, which includes analysis performed by CISA.

The agency may decide the scope and nature of information necessary to confirm whether a covered cyber incident or ransom payment occurred. Requested information could include electronically stored information, documents, reports, verbal or written responses, records, accounts, images, data, data compilations and tangible items. A covered entity would have to reply in the manner and format, and by the deadline, specified in the RFI.

Subpoena powers

If the entity doesn’t respond by the RFI deadline or responds inadequately, CISA could issue a subpoena to compel disclosure. Subpoenaed information — like that requested in an RFI — could include electronically stored information, documents, reports, verbal or written responses, records, accounts, images, data, data compilations and tangible items.

CISA would have authority to share information submitted in response to a subpoena with the US attorney general or a federal agency if CISA finds grounds for criminal prosecution or enforcement action. The attorney general or agency could use that information to initiate a criminal prosecution or enforcement action. Any decision by CISA to exercise this authority can’t be appealed.

Civil enforcement actions

If a covered entity fails to comply with a subpoena, CISA could refer the matter to the attorney general to bring a civil action to enforce the subpoena. A US district court may order compliance with the subpoena and punish noncompliance as a contempt of court. If the action was based on classified or protected information, that information could be submitted to the reviewing court without the covered entity’s participation. Covered entities wouldn’t have a right to appeal.

Criminal penalties

The proposal also authorizes criminal penalties for false statements. Any person that knowingly and willfully makes a materially false or fraudulent statement or representation in connection with, or within, a CIRCIA report, response to an RFI or response to an administrative subpoena would be subject to penalties under 18 U.S.C. §1001. These include a fine, imprisonment of up to five years (eight years if the offense involves terrorism) or both.

Recognizing the potential for good-faith errors in CIRCIA reports, CISA says it “would not consider scenarios where a covered entity reports information that it reasonably believes to be true at the time of submission, but later learns through investigation that it was not correct and submits a Supplemental Report reflecting this new information, to constitute a false statement or representation.”

Questions to consider

  • Would the proposed enforcement and information-sharing requirements have a chilling effect on your outreach to other agencies?
  • Would uncertainty surrounding enforcement have a chilling effect on your willingness to collaborate with CISA outside of this rule?

Contact us

Matt Gorham

Cyber & Privacy Innovation Institute Leader, PwC US

Shawn Lonergan

Partner, Technology & Operational Resilience, PwC US

Kristen Maynes

Partner, PwC US

Follow us

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide