Cyber Incident Reporting for Critical Infrastructure Act

April 20, 2022

  • The U.S. Federal Government recently passed an act requiring organizations that have experienced a cybersecurity incident to report it to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Additionally, ransomware payments must be reported in 24 hours.
  • The act gives legal and regulatory protections to organizations that report the incident or payment.
  • The director of CISA has subpoena power for non-compliance.

 


 

What Is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and Why Is It Important?

Cybersecurity incidents are growing in cost and scale, often affecting multiple nations and industry sectors. Historically, malicious actors could rely on a culture of secrecy within breached organizations, which might decline to disclose a breach to the Federal Government, often aiming to reduce reputational damage and legal liabilities. This sometimes came at the cost of collective security for an industry (or even a nation) because other organizations and law enforcement couldn’t prepare for or track the attacker’s movements and techniques. This constantly put both private and public sectors at a disadvantage and allowed the threat actors an easy way to expand their attacks.

 

In recent years, the paradigm has shifted, with more organizations now understanding the importance of sharing incident information when possible. A large drawback has been the lack of clear requirements and legal protections from the Federal Government. This has left many businesses needing to balance a collaborative approach to security with potential legal liability.

 

To combat this conflict, the Federal Government on March 15th enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as part of the Consolidated Appropriations Act, 2022 (Public Law No: 117-103). At its core, the new law aims to require disclosure of incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within a predetermined amount of time. In exchange for reporting requirements, organizations will be granted some legal protections from lawsuits pertraining to the reported incident. The Federal Government’s intent with this legislation is to build a collective understanding of how threat actors are targeting organizations and critical infrastructure. With this information, CISA plans to rapidly deploy resources, render assistance and warn other potential victims.

 

While this act has been signed into law, the reporting requirements aren’t currently in effect. CISA is required to submit a final rule no later than 24 months from the March 15th, 2022 enactment.

 

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 can be understood in three categories: requirements, protections, and enforcement.

 

  • Requirements
    • Report an incident within 72 hours of occurrence.
      • For clarity, the legislation defines an “incident” as, “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system” (6 USC 659)
      • This definition could be updated or clarified in the final rule.
    • Report a ransomware payment within 24 hours after payment is made. (This includes virtual currency.)
  • Protections
    • Protection from legal actions relating to incident or payment reporting.
    • Information about incident or payment report can’t be used by federal, state, or tribal government for regulatory enforcement actions.
  • Enforcement
    • The director of CISA may subpoena for information if an organization does not respond to a request for information pertaining to incident or payment.
    • If the organization doesn’t comply with subpoena, the director of CISA may refer the matter to the Attorney General for civil action.

 

Optiv’s Perspective On Enhancing Your Cybersecurity Program Cybersecurity activities continue to be top of mind across industries. With high profile cybersecurity attacks in the private and public sectors, we’ve seen an increasing appetite for security-related actions from congress and federal agencies. These have focused not only on federal agencies themselves but also on the private sector, whether it be a government contractor or an important link in the supply chain. This highlights the need to build out a robust, secure, and mature cybersecurity program that will help reduce exposure to cybersecurity incidents and risk to your business.

 

The reporting requirement encourages organizations to build a security capability to prevent or deter incidents, even if not explicitly required by the legislation. The act emphasizes accountability for incidents, including subsequent reporting until remediation. While the details of the final rule may vary slightly, the principles of risk management, governance, resilience, and attention to third parties are best practice areas that can strengthen cybersecurity programs and must not be ignored.

 

The time to act is now. Starting a programmatic approach today will drive readiness success when the disclosure requirements are implemented. An approach that incorporates playbooks and coordination for media, legal, and other responses will help reduce revenue and business risk, not only just cyber risk. Building and maturing a robust cybersecurity program, that reduces risk, takes time and a holistic approach. Waiting to start could require organizations to play catch-up or could potentially expose them to a greater level of legal or regulatory risk. This approach should start now and could include:

 

  • Cybersecurity risk assessment policies, procedures, and outcomes
  • Playbooks for media, legal, and other responses
  • Prioritized roadmaps for program maturity and other business goals
  • Third-party vendor management, including analysis of risk frameworks, which must be embedded within company policies and procedures to identify the cybersecurity risks associated with the use of third parties
  • Actions undertaken to prevent, detect and minimize effects of cybersecurity incidents
  • Business resilience activities, including incident response
  • Understanding the feedback loop to leverage prior information and incidents to enhance the overall cybersecurity program (people, process, technology, and analytics)
  • Integration of cybersecurity risk management within the enterprise strategy

 

As the trusted cybersecurity partner for many leading organizations, our goal is to quickly highlight these elements to drive awareness and promote cybersecurity across the enterprise. With these requirements impacting reporting, there has never been a more important time to elevate the cybersecurity conversation within your organization.

 

If you have questions about how the Cyber Incident Reporting for Critical Infrastructure Act affects your organization, please drop us a line.

Wendy Overton
Director, Cyber Strategy | Optiv
Wendy is a dynamic security leader who helps organizations increase their business value through innovative strategy, GRC, organizational design, engagement and transformation solutions. At Optiv, she supports clients through security strategy and transformation initiatives and leads Optiv’s Insider Risk Management; Security in Mergers, Acquisitions and Divestitures; and Cybersecurity Maturity Model Certification (CMMC) Readiness offerings.

Prior to joining Optiv, Wendy was a cyber risk practitioner at Deloitte & Touche, where she guided her clients as they elevated their security programs. She began her career as an Intelligence Analyst at the National Security Agency, focusing on foreign policy, counter-terrorism and counter-intelligence.
Brandon Brevard
Senior Consultant, Cyber Strategy | Optiv
Brandon is a seasoned cybersecurity leader who helps organizations create and protect value with a unique perspective on governance, risk and compliance (GRC) and security technologies. Having served in both risk management and information technology roles, his experience blends policy and risk management with a strong technical understanding which serves everything from the Fortune 500 to the U.S. Department of Defense.

Prior to Optiv, Brandon served as an Information System Security Officer at the DOD, where he ensured compliance with federal regulations, vulnerability remediation and adherence to best security practices.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.