In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation aims to enhance America’s cybersecurity by requiring covered entities to report critical cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
Under these rules, companies are required to report cyber security incidents within 72 hours. It also covers reporting guidelines in cases where companies make ransom payments to be reported within 24 hours. By providing strict guidelines on identifying, addressing and reporting cyber security incidents, these can significantly prevent disruptions to essential services and infrastructure.
Purpose of Regulation
The main purpose of CIRCIA is to help preserve the national security, economic security, and public health and safety from cyber security threats. It also helps promote a more transparent posture from covered entities when reporting cybersecurity incidents. This requires them to report incidents within a timely manner that helps strengthen collaboration between entities and CISA.
1. Cyber Incident Reporting Requirements
Under CIRCIA, organizations falling within the 16 critical infrastructure sectors must promptly report cyber incidents to CISA. The reporting window is 72 hours from the time the entity reasonably believes the incident occurred. This swift reporting enables CISA to coordinate a response and ensure threat mitigation and identify and address cyber threats to the public.
2. Federal Cyber Incident Report Sharing
While mandatory reporting isn’t yet in effect, CISA encourages all entities to voluntarily share information about cyber incidents. Swift sharing assists CISA in providing timely assistance and issuing warnings to prevent loss from a cyber security incident. Organizations can report unusual cyber activity via cisa.gov/report.
3. Cyber Incident Reporting Council
The Cyber Incident Reporting Council (CIRC) plays a crucial role in implementing CIRCIA. It is authorized by Congress and consist of several federal agencies whose mandate is to coordinate and develop existing and future cyber incident report requirements and ensure consistent alignment between federal entities and agencies on reporting practices.
Conclusion
CIRCIA encourages a more organized and rapid response to reporting incidents and provides a key foundation for cybersecurity resilience by fostering a transparent and collaborative posture against cyber security threats.