New CISA Rule Would Require Widespread Cyber Incident Reporting, Updated Timelines and Penalties for Critical Infrastructure Sector

In addition to outlining the costs associated with the new rule, the NPRM details what entities will be covered by the CIRCIA reporting requirements, timelines and mechanisms for reporting, and scope penalties for noncompliant entities. The overarching goal of the proposed regulation is to ensure that sufficient data is received promptly so the government can take necessary steps to ensure integrity and protect against cyber threats across Critical Infrastructure sectors.

What Is a Covered Entity?
CISA estimates that the Proposed Rule will apply to approximately 316,000 Covered Entities, all of whom are in one of 16 enumerated Critical Infrastructure sectors and (1) do not qualify as a small business as defined by the Small Business Administration (SBA), or (2) meet a sector-based criterion.

The Proposed Rule applies to active participants of a sector, such as suppliers, service providers and regulators as well as owners or operators of critical infrastructure.

What Is Critical Infrastructure?
The White House published the Presidential Policy Directive 21 in February 2013. This Directive identified 16 Critical Infrastructure Sectors. These sectors are vital to national economic security, public health and the overall operational effectiveness of the United States. Examples include the Chemical, Communications, Defense Industrial Base and Financial Services Sectors.^[i]

Entities should review the Sector Profiles and Sector-Specific Plans to determine if they fall within a Critical Infrastructure Sector.

Determining Small Business Eligibility
CISA will exclude entities classified as small businesses according to the 13 CFR Part 121. Firms can determine their eligibility by using SBA’s Table of Size Standards. It defines small businesses based on industry, firm revenue and number of employees. Firms should search for their North American Industry Classification code on the table to see their revenue or employment size limits, as the definitions of “small business” varies by sector. For example, a soybean farm that earns $3 million in annual revenue doesn’t qualify as a small business but a homebuilder that earns $40 million does.

CISA’s Sector-Based Criteria
Even if an entity qualifies as a small business, the proposed rule will apply if that entity satisfies a sector-based criterion. These criteria include 13 of the specified 16 Critical Infrastructure Sectors (small business entities in the Commercial Facilities, Dams, and Food and Agriculture sectors are excluded from compliance obligations set forth in the Proposed Rule). An entity meets sector-based criteria if it satisfies one of the following:

• Owns or operates a chemical facility;
• Provides wire or radio services;
• Owns or does business related to manufacturing metal, machinery, electrical equipment or transportation equipment;
• Provides defense contracting services;
• Provides emergency services;
• Owns or operates a bulk electric and distribution entity;
• Owns or operates financial services infrastructure;
• Qualifies as a state, local, Tribal or territorial government entity;
• Qualifies as an education facility;
• Owns or does business related to information and communication technology to support elections;
• Provides public-health-related services;
• Provides information technology products and services to the federal government, develops software or does business related to hardware and software components;
• Owns or operates a nuclear power reactor or fuel cycle facility;
• Qualifies as a transportation system entity;
• Owns or operates a maritime vessel, facility or outer continental shelf facility; and
• Owns or operates a community water system or public treatment works.

Report Requirements
Under the Proposed Rule, a covered entity is required to submit a report to CISA if it experiences a covered cyber incident, makes a ransom payment or has an update of substantial or new information of a previously submitted report.

More specifically, the Proposed Rules outline four types of CISA reports that may be required, each with separate deadline requirements:

• A Covered Cyber Incident Report must be submitted within 72 hours after an entity reasonably believes that a covered incident occurred;
• A Ransom Payment Report must be submitted no later than 24 hours after the payment was made;
• A Joint Covered Cyber Incident and Ransom Payment Report must be submitted if a covered entity makes a ransom payment within 72 hours of a covered cyber incident. The report must be submitted within 72 hours of the cyber event occurring; and
• A Supplemental Report must be submitted if a covered entity makes a ransom payment related to a previously reported cyber incident. The report must be submitted within 24 hours of the funds being dispersed.

A covered entity may also submit an optional report that a covered cyber incident has concluded.

The Proposed Rule provides 10 examples of what would qualify as a “covered” cyber incident:

• A distributed denial-of-service attack rendering a covered entity’s service unavailable for an extended period of time;
• Any cyber incident that encrypts one of a covered entity’s core business systems or information systems;
• A cyber incident that significantly increases the potential for a release of a hazardous material used in chemical manufacturing or water purification;
• A cyber incident that compromises or disrupts a BES cyber system that performs one or more reliability tasks;
• A cyber incident that disrupts the ability of a communications service provider to transmit or deliver emergency alerts or 911 calls, or results in the transmission of false emergency alerts or 911 calls;
• The exploitation of a vulnerability resulting in the extended downtime of a covered entity’s information system or network;
• A ransomware attack that locks a covered entity out of its industrial control system;
• Unauthorized access to a covered entity’s business systems caused by the automated download of a tampered software update, even if no known data exfiltration has been identified;
• Unauthorized access to a covered entity’s business systems using compromised credentials from a managed service provider; and
• The intentional exfiltration of sensitive data in an unauthorized manner for an unauthorized purpose, such as through compromise of identity infrastructure or unauthorized downloading to a flash drive or online storage account.

The Proposed Rule also offers three exceptions to these reporting requirements:

• A “substantially similar” report has already been submitted to another federal agency in a substantially similar timeframe under existing law, regulation or contract, and that agency has information-sharing mechanisms with the CISA;
• A cyber incident impacts certain entities related to the Domain Name System; and
• A Federal agency that is required to report to CISA under the Federal Information Security Modernization Act (FISMA). 

CISA will consider whether the information reported to the other agency is “substantially similar” enough to meet the first exception. While the Proposed Rule indicates that DHS will enter into agreements with other federal agencies in an effort to determine whether the CIRCIA reporting obligations are “substantially similar” to the non-CIRCIA reporting obligations, the Proposed Rule affirmatively concluded that state reporting requirements will NOT be considered “substantially similar.” As a result, reporting entities will most likely be required to submit duplicate state and federal incident reports.

The report must include certain specified information, including the submitted report type, and identify the covered entity and the computer information system (CIS) they are a part of. Reports must also include details of affected networks, a description of any unauthorized access, a timeline of the incident and the entity’s assessment of the impact on their networks. For Ransom Payment Reports, the entity must also report the ransom amount and the payment outcome. Reports can be submitted through the CISA’s web-based reporting form on their website or by any means that the director of the CISA approves. The reporting entity must preserve data relating to the covered cyber incident or ransomware payment from the most recently submitted CIRCIA report for two years.

Enforcement
The Proposed Rule also establishes the available enforcement mechanisms provided by CIRCIA should the CISA determine that a covered entity failed to submit a required CIRCIA report.

If the CISA director believes that an incident has occurred and the CISA has not received a report, the CISA may initially submit a request for information (RFI) to the covered entity, requiring a response within 72 hours. The Proposed Rules note that issuing an RFI is not a final action, and any enforcement action will follow after an adequate response to the RFI is received.

CIRCIA also provided the CISA with the authority (and discretion) to issue a subpoena for information should a covered entity fail to respond to an RFI or its response is inadequate and not supplemented within the parameters established in the RFI.

A covered entity’s failure to comply with a subpoena for information may result in the CISA director referring the matter to the Attorney General to enforce the subpoena and/or pursue contempt of court charges. Other enforcement mechanisms include acquisition penalties and suspension and debarment of the covered entity from doing business with the federal government.

^{[i] The 16 critical infrastructure sectors identified in the PPD-21 are: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems.}