On March 10, 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as part of the $1.5 trillion omnibus spending bill to fund federal government programs through the remainder of fiscal year 2022. President Biden signed the bill into law on March 15, 2022. The Act’s passage represents many months of negotiations between Congress, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and industry stakeholders, and is considered the most serious regulation of the wider U.S. cybersecurity infrastructure to date. Debates between these stakeholders focused largely on how quickly covered entities would be legally required to report cyber incidents, with some members of Congress preferring a 24-hour timeline and industry stakeholders favoring a 72-hour timeline. There was also considerable debate regarding which federal agencies would receive reports of cyber incidents from critical infrastructure operators.
Entities Subject to Reporting Requirements
The Act requires “covered entities” to report any cyber incidents and ransomware payments to CISA. While the Act requires the CISA director to define “covered entities” and “covered cyber incidents” more clearly for the purposes of the law’s reporting requirements, the broad definitions currently within the law provide a starting point. For example, under the Act, a “covered entity” is as an entity in the critical infrastructure sector as defined in Presidential Policy Directive 21 (PPD-21). Under PPD-21, there are 16 sectors considered so vital to the United States that their incapacitation would have a debilitating effect on the health, safety and security of the nation. Designated critical infrastructure sectors include chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial bases, emergency services, energy, financial services, food and agriculture, government facilities, health care and public health, information technology, nuclear, transportation, and water and wastewater.
In practice, critical infrastructure owners and operators will be amongst those covered entities subject to the Act’s cyber incident reporting requirements.
Cyber Incident Reporting Requirements
As a result of the Act, covered entities will be legally required to report cyber incidents to CISA. Specifically, covered entities would be required to report a “covered cyber incident” to CISA within 72 hours of an incident’s discovery or one that the entity reasonably believes occurred; the law explicitly bars CISA from requiring entities to report cyber incident information less than 72 hours after a cyber incident.
“Covered cyber incidents” subject to these new reporting requirements include a “substantial cyber incident,” meaning an occurrence that actually or imminently compromises the integrity, confidentiality or availability of information on an information system. Notably, an incident that does not actually jeopardize information systems is specifically not covered by the definition.
Prior to the Act’s passage, the issue of whether cyber incidents should be reported to the FBI in addition to CISA was heavily debated between the White House, DOJ, FBI, Congress and CISA. Specifically, DOJ argued that not requiring reporting to the FBI would “[leave] one of our best tools, the FBI, on the sidelines and makes us less safe at a time when we face unprecedented threat.” To account for this concern, CISA Director Jen Easterly noted that CISA would immediately share incident reports with the FBI.
Ransom Payment Reporting Requirements
Additionally, the Act requires that covered entities report to CISA any ransom payments to malicious cyber actors within 24 hours of being made. Broadly defined by the Act, “ransom payments” are considered the transmission of any money or other asset—including virtual currency—delivered in connection with a ransomware attack. Importantly, these payments must be reported regardless of whether the underlying attack would be considered a covered cyber incident.
Substantially Similar Reported Information
Under current administrative rules, some critical infrastructure owners and operators are already required to report cyber incidents to federal regulators. For example, under current Transportation Security Administration (TSA) cybersecurity directives, critical pipeline and surface transportation owners and operators are required to report cybersecurity incidents to CISA within 24 hours. Now, under the Act, if a covered entity is obligated by law, regulation or contract to report to another federal agency information “substantially similar” to the information which must be reported under the Act and within a similar timeframe, that entity is exempt from reporting to CISA. However, this exemption only applies in cases where CISA and the other federal agency receiving the report agree and have an information sharing mechanism in place. In the event of such an agreement, the receiving federal agency will share the entity’s cyber incident report with CISA as soon as possible and no more than 24 hours after receiving it.
Currently, the Act does not indicate what will happen in instances of covered entities already required to submit cyber incident reports to CISA (as with TSA security directives); this will likely be clarified as CISA begins promulgating rules to implement the Act.
CISA Use of Reported Data
Considering the reported information’s potential sensitivity, the federal government’s use of that information is limited to cybersecurity purposes, security threat and vulnerability identification, and investigating and prosecuting the reported cyberattack offenses. The Act forbids reported information from being used for enforcement or other administrative actions against reporting entities outside of the cyberattack. The Act contemplates additional protections for the reported data. Importantly, the Act exempts the reported data from Freedom of Information Act (FOIA) disclosures, including when a reporting entity designates the submitted information as “commercial, financial, and proprietary information.”
Liability Protections for Reporting Entities
Covered entities will also receive limited liability protections against claims brought by private parties, based on the submitted report’s conformity with the Act’s requirements and other associated regulations. However, this protection only applies to litigation that is based solely on the report submitted to CISA as required by the Act.
Penalties for Noncompliance
Should CISA become aware of a covered entity’s failure to disclose a covered cyber incident, the Act empowers CISA to directly request information of the alleged incident from the entity. If that entity does not respond to the request within 72 hours, CISA may issue a subpoena compelling disclosure of “information the Director deems necessary to determine whether a covered cyber incident has occurred.” CISA may also subpoena any additional information related to the cyber incident on which reporting to CISA would have been required under the Act or associated regulations. If the covered entity fails to comply with the subpoena, the Act permits CISA to refer the matter to the Attorney General to enforce the subpoena through a civil enforcement action.
To fully implement the Act’s requirements, CISA must promulgate additional administrative rules. Within 24 months of the Act’s enactment date, the CISA Director must consult with the DOJ, the Sector Risk Management agencies and other federal agencies to develop rules for the Act’s implementation and for publication in the Federal Register. Final rules must be promulgated no later than 18 months after publication of the proposed rules in the Federal Register.
These implementation rules must include clear descriptions of:
Considerations for the Sports and Entertainment Industry
CISA’s implementation of the Act could take upwards of two years. Given the rise of cyber threats, however, the Ranking Member of the Senate Homeland Security and Governmental Affairs Committee is urging CISA and the National Cyber Director to work “quickly” to implement the provisions of the Act.
Regardless of the final implementation timeline, companies should already be considering how the provisions of the Act could affect their operations and obligations. Companies should first determine whether they will be considered a designated covered entity under the Act. While DHS needs to clearly define what is considered critical infrastructure, it is easy to foresee that sports and entertainment facilities will be encompassed within this new law. Even if those facilities are not clearly included, certain key resources, such as energy utilities and transportation systems relied upon by sports arenas, ballparks, concert venues and others, will have notification obligations under this new law. As a result, owners and operators of sports and entertainment venues should be following this law as if they are included within its obligations until proven otherwise.
Companies likely to be considered covered entities may want to consider proactively engaging with CISA as it begins refining definitions and implementation rules. In addition, those companies likely designated as covered entities will also want to review internal procedures which would enable the identification of covered cyber incidents and the reporting of such incidents to CISA in a timely fashion.
Pillsbury will continue to monitor CISA’s implementation of this law as it develops over the next several months. For additional information, please feel free to contact Pillsbury partner Brian Finch at 202.663.8062 or [email protected] or any member of Pillsbury’s Cybersecurity Team.