The United States is evolving regulations for its cybersecurity defenses. The Cybersecurity and Infrastructure Security Agency (CISA) has introduced a proposed rule under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), targeting the enhancement of cybersecurity measures for US critical infrastructure. This proposal marks a significant stride toward more secure and resilient digital infrastructure. As we dissect this proposal, it's vital to understand its nuances and implications, particularly as the public comment period draws to a close on June 3, 2024.
The Goals of CIRCIA
At its core, the proposed CIRCIA rule is a proactive measure by CISA to address the escalating cyber threats that jeopardize critical sectors such as energy, transportation, and healthcare. The regulation mandates that designated entities report cyber incidents and ransom payments, thereby amplifying CISA's capability to mitigate these threats effectively. This regulatory initiative is crucial for protecting the US's national and economic security, as well as ensuring the health and safety of the public.
Defining the Reporting Entities and Incidents
A key aspect of the rule is the identification of "covered entities" – those operating within critical infrastructure sectors in the US. These entities are obligated to report if they experience a "covered cyber incident." Such an incident is defined as one that actually jeopardizes the integrity, confidentiality, or availability of an information system of a covered entity, without lawful authority. This definition is critical for entities to accurately determine which incidents require reporting, ensuring that CISA receives pertinent and actionable information.
Detailed Reporting Requirements and Timelines
The rule stipulates that covered entities must report covered cyber incidents within a 72-hour window and ransom payments within 24 hours. Reporting is to be conducted using a specified online form or through other approved methods. The regulation outlines distinct deadlines for various report types, such as Covered Cyber Incident Reports and Ransom Payment Reports. These timelines are designed to ensure that CISA receives timely and relevant information to respond to and mitigate cyber threats effectively.
Data Retention and Compliance Enforcement
A crucial component of the proposed rule is the requirement for covered entities to retain data and records related to reported cyber incidents. This retention is essential for the subsequent analysis and investigation of incidents. To ensure compliance with reporting requirements, CISA is armed with enforcement mechanisms, including requests for information and subpoenas. These tools empower CISA to obtain necessary information from entities that may not have complied with their reporting obligations. Data and records that must be preserved include:
• communications between the covered entity and the threat actor
• indicators of compromise
• relevant log entries, memory captures, and forensic images
• network information or traffic related to the cyber incident
• the attack vector
• system information that may help identify vulnerabilities that were exploited to perpetrate the incident
• information on any exfiltrated data
• data and records related to any ransom payment made
• any forensic or other reports aboutthe cyber incident produced or procuredby the covered entity
Safeguards and Public Participation
The proposed rule includes protections for the information contained in reports, such as restrictions on use and liability protections. Additionally, the regulation emphasizes the importance of safeguarding privacy and civil liberties. A significant aspect of the rulemaking process is the encouragement of public participation. CISA invites stakeholders to submit comments and feedback on the proposed regulation until June 3, 2024. This public comment period offers a unique opportunity for individuals, organizations, and industry experts to shape the final regulation, ensuring it effectively addresses the cybersecurity challenges facing the US.
Preparing for Compliance and Collaboration
As the US navigates the evolving cybersecurity landscape, it's imperative for covered entities to understand the intricacies of CISA's proposed CIRCIA rule and prepare for compliance. The public comment period presents a critical opportunity for stakeholders to contribute their insights and expertise, influencing the development of a regulation that balances security needs with practical implementation. By working collaboratively, organizations can collectively enhance the cybersecurity posture of the US's critical infrastructure, safeguarding it against the ever-present threat of cyberattacks.
The proposed CIRCIA rule was added to the US Federal Register on April 4, 2024.