Cybersecurity Legislation: What US Organizations Need To Know About CIRCIA Compliance

There’s no shortage of high-profile cybersecurity incidents hitting the news every week. In 2021, we saw a leading energy supplier shut down a major eastern US fuel pipeline in response to a cyber attack. In the same year, a major US insurance carrier fell victim to a costly ransomware attack that resulted in thousands of stolen records and the shutting down of business systems. And the list goes on. The FBI received nearly 850,000 complaints totaling $6.9 billion in losses in 2021, the highest of any year on record.  

However, these are just the stories we hear about. Cyber-attacks often go unreported due to fear of financial or reputational repercussions. This concerning reality poses significant challenges to the cybersecurity industry. Namely, that we can’t fight cybercrime strategies we have no knowledge of and that unreported cybercrime essentially makes attacks a no-risk venture for cybercriminals – whether they succeed or fail, they can fly under the radar and face no consequences.  

But, new cybersecurity legislation could put an end to unreported cybersecurity incidents. In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires certain US companies to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).  

But what exactly is CIRCIA? Which organizations does it apply to? And how do you ensure cybersecurity compliance under this new legislation? Let’s get into it.  

What is CIRCIA?

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a new federal law that requires a subset of critical infrastructure entities in the US to report cyber incidents to the federal government within 24 to 72 hours, depending on the type of incident.  

This cybersecurity legislation has been in the works for several years but was accelerated recently, likely due to the recent Russia-Ukraine conflict.  

What Types of Organizations Does CIRCIA Apply To?

CIRCIA applies to companies within the critical-infrastructure sector and has significant implications for cyber incident reporting, disclosure, and governance. Organizations under this umbrella include healthcare organizations, financial institutions, nuclear power plants, critical manufacturing, and water, electrical, and telecommunications companies.  

However, it’s worth noting that the exact companies that fit the criteria of “critical infrastructure” haven’t yet been finalized. As of yet, the rulemaking process is still ongoing, and several critical activities must happen before finalizing the rules. The Department of Homeland Security (DHS) plays a crucial role here in determining the scope of agencies and which incidents require reporting. Similarly, CISA must consult with various entities, including the Department of Justice, Sector Risk Management Agencies, and other connected federal agencies.  

The exact entities selected will likely be based on several criteria, including the likelihood they will be targeted, the consequences of disruption or compromise following a cyberattack, and the extent to which compromise would disrupt critical infrastructure.  

So, when will CIRCIA be finalized? The CISA director must propose a final rule within two years of its enactment, but we could see this happen much sooner.  

What are the CIRCIA Reporting Requirements?

Selected organizations will be required to report two types of cyber events – covered cyber incidents (CCIs) and ransomware payments in response to ransomware attacks. Under CIRCIA, if an organization falls victim to a CCI, it must report the event within 72 hours. And if the organization has paid a ransom following a ransomware attack, it must report it within 24 hours.  

 But what exactly is a covered cyber incident? Several factors could see an event categorized as a CCI, including: 

• Substantial loss of integrity, confidentiality, or availability of information systems.  
• Significant impact on safety or resiliency of operational systems.  
• Operational disruptions as a result of compromise of cloud service providers, supply chains, managed service providers, and other third parties.  

 It’s also important to note that CISA and the DHS recognize that organizations won’t have all the information about a cyberattack within the first 72 hours. Therefore, this window functions as an initial disclosure, but organizations are expected to release follow-up reports.  

Weighing Up The Risks: Transparency vs. Oversharing

One major concern many organizations have is the potential risk of oversharing sensitive information while complying with CIRCIA. Currently, there are no hard and fast rules for how much information companies have to share, and this will likely be a key topic of discussion during the rulemaking process.  

 Naturally, organizations will want to avoid sharing information that could make them vulnerable to intellectual property theft. And similarly, they will want to limit information around their cyber defenses so as not to give hackers an advantage in targeting their systems.  

How Will CIRCIA Be Enforced?

The CISA director will have the authority to request information from companies subject to CIRCIA to help determine whether a CCI or ransom payment occurred. If the organization doesn’t respond, CISA can issue a subpoena or refer the matter to the Department of Justice.  

Do Organizations Have to Start Reporting Cyber Incidents Today?

No, critical infrastructure organizations don’t have to report cyber incidents until the Final Rule implementing CIRCIA’s reporting requirements goes into effect. However, CISA strongly encourages organizations to voluntarily share information as soon as possible (once they’ve consulted with their legal teams about what information can be shared).  

What Will the Government Do With the Information?

Information reported under CIRCIA will aid the DHS in analyzing cyber threat information and developing new strategies to protect information systems, identify and respond to cyber threats, and prevent and mitigate future attacks.  

What Steps Should Companies Take To Be CIRCIA Compliant?

Organizations should ensure they have a comprehensive and well-defined process of notifying relevant parties and escalating action following a cyber incident. A strong information security team complete with robust cybersecurity tools is critical here, as is communication with legal and HR teams. A comprehensive incident response plan is a must.  

Final Thoughts

CIRCIA is an important milestone in strengthening cybersecurity in the US and protecting the critical infrastructure we rely on every day. If you think your company will be subject to CIRCIA and want to ensure CIRCIA cybersecurity compliance, it’s best to act now.