The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released draft rules for cyber incident reporting by critical infrastructure entities, with requirements for reporting “substantial” attacks within 72 hours and ransom payments within 24 hours.

The proposed rules have been issued under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enacting the rules will mark “an important milestone” for the nation’s cybersecurity, according to CISA.

“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” said CISA Director Jen Easterly in a statement. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats. We look forward to additional feedback from the critical infrastructure community as we move towards developing the Final Rule.”

Under the rules, CISA also makes clear that critical infrastructure entities may use third parties to submit reports required under CIRCIA. These can include insurance providers, incident response firms, attorneys, or service providers. These third parties will also be mandated to alert covered entities of their reporting requirements under CIRCIA when making ransom payments on their behalf.

Under the rules, reports should contain:

⦁ The date and time of the incident

⦁ The location of the incident

⦁ The type of observed activity

⦁ A detailed narrative of the event

⦁ The number of people or systems affected

⦁ The organization’s name

⦁ A point of contact

⦁ The severity of the event

⦁ Details regarding the critical infrastructure sector

⦁ A list of anyone else the entity informed

CIRCIA also authorizes CISA to subpoena entities for additional information about cyber incidents or ransom payments not contained in initial reports, as well as provides some liability protection for entities reporting to CISA.

In defining a “substantial” cyber event, CISA outlined four “impacts” that would trigger reporting requirements, including substantial loss of confidentiality, integrity, or availability of an information system or network; serious impact on the safety and resiliency of operational systems and processes; disruption of business or industrial operations; or unauthorized access caused by a third-party provider or supply chain compromise.

This broader approach, the agency said, allows entities themselves to determine whether a cyber event is substantial rather than analyzing whether it falls into narrower criteria. CISA offered examples of the compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; a ransomware attack; or exploitation of a zero-day vulnerability.

“CISA believes that defining a covered cyber incident to include all substantial cyber incidents experienced by a covered entity rather than some subset thereof is both consistent with the statutory definition of covered cyber incident and is the least complicated approach to defining covered cyber incidents,” said the agency in the draft.

CISA included exceptions for any cyber incidents that arise out of “good faith” actions, such as penetration testing that goes awry, authorized bug bounty programs, or unintentional misconfigurations of a covered entity’s devices by a third-party service provider.

The rules apply to firms within the 16 sectors defined as critical infrastructure that exceed a certain size or meet sector-specific criteria. The 16 sectors covered chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.

CISA sought comment from a wide range of stakeholders in developing the rules, according to the agency. The public comment period will be open for 60 days before the rule is finalized.