The Cybersecurity and Infrastructure Security Agency (CISA) has published its report of proposed rules detailing how critical infrastructure organizations must report cybersecurity incidents and ransomware payments to the federal government.
This report is a follow-up to the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) passed in 2022, which implements regulations for businesses considered critical infrastructure, such as water utilities or transportation. These entities must now report cyber incidents within 72 hours and ransomware payments within 24 hours. The incidents covered include those that “lead to substantial harm or pose a significant threat to the organization’s ability to function or to national security, public health, or safety.”
Cost and Scope of New Regulations
Secretary of Homeland Security, Alejandro Mayorkas, stated that the reporting requirements will enhance the government’s ability to identify trends, assist victims, and share information to reduce risk across all critical infrastructure sectors. However, CISA estimates enforcing the rule would cost $2.6 billion over the next 11 years, with $1.4 billion in costs to industry and $1.2 billion to the federal government.
The proposed rules cover 16 critical infrastructure sectors, including manufacturing, energy, financial services, healthcare, transportation, and water utilities. CISA anticipates over 316,000 entities will be affected, collectively submitting an estimated 210,525 reports over the next decade. However, the rules also include numerous exemptions and sector-specific criteria, raising concerns about potential gaps in coverage.
The public will have 60 days to comment on the proposed rules, CISA will then revise the regulations and make them final within the next 18 months. However, experts have questioned the delays and limited scope of the initial draft.
Concerns Raised by Experts
Josh Corman, a cybersecurity expert and former CISA COVID Task Force leader, raised concerns about CISA’s efforts to limit the organizations regulated under CIRCIA. He argued that the focus on large organizations ignores the pivotal role of smaller companies in many industries, and the emphasis on exceptions is “complex and harmful to intent.”
Corman also criticized the use of sector-specific plans from 2015 as the basis for determining covered entities, arguing that these plans are outdated and may not accurately reflect current industries that are at risk.
Constraints and Implementation Challenges
While some experts praised the inclusion of measures tracking ransomware payments, others questioned how CISA would handle situations where critical infrastructure organizations fail to report incidents that are subsequently revealed publicly.
The CIRCIA rules add another layer to an already complex regulatory body governing cybersecurity incident reporting. Experts emphasize the need to harmonize these various requirements, including those from the Securities and Exchange Commission, to avoid conflicts and ensure compliance.
Some experts have raised concerns about whether smaller critical infrastructure organizations, such as community water systems, have the financial resources and expertise to implement the reporting requirements effectively. CISA has acknowledged budget constraints and is working to upgrade its technological infrastructure to handle the influx of reports.
The Wrap
The proposed rules come amid heightened concerns about nation-state actors, such as China’s “Volt Typhoon” campaign, targeting U.S. critical infrastructure. Experts argue that the incident reporting requirements are crucial for improving the government’s visibility into these threats and enabling a more coordinated response.
As the public comment period begins, stakeholders across the critical infrastructure sectors will have the opportunity to provide feedback and shape the final regulations. The successful implementation of these rules will be pivotal in enhancing the nation’s cybersecurity resilience and protecting vital systems from increasingly sophisticated cyber threats.
