President Biden lately signed into legislation the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as part of a bigger omnibus appropriations invoice. The brand new legislation units out necessary reporting necessities for crucial infrastructure entities within the occasion of sure cyber incidents and ransomware funds. Beneath the Act, as soon as implementing laws are issued (which aren’t anticipated this yr) lined entities will likely be topic to 2 new reporting necessities:
Coated entities should report lined cyber incidents no later than 72 hours after the lined entity moderately believes that an incident has occurred.
Coated entities that make ransom funds because of a ransomware assault in opposition to crucial infrastructure should report the fee no later than 24 hours after fee has been made.
Whereas the final reporting timeframes are clear, the questions of who’s impacted by this Act, what incidents should be reported, and what the reporting course of requires are decidedly much less clear. The Cybersecurity and Infrastructure Safety Company (CISA) will likely be issuing guidelines addressing these factors. A proposed rule is to be issued inside 24 months, and the Director of CISA is to difficulty a last rule inside 18 months of issuance of the proposed rule. As a part of the rulemaking, CISA will additional outline the scope of crucial infrastructure entities which can be lined. It’s hoped that the rulemaking may also embody a extra clear description of what constitutes a considerable cyber incident. The necessities is not going to go into impact till CISA points its guidelines.
The Act outlines strict enforcement mechanisms to make sure compliance with the Act. If CISA suspects a lined entity has not submitted a required report, CISA will ask the entity to reveal an incident. If the entity doesn’t reply inside 72 hours, CISA can subpoena the entity for extra info. Failure to adjust to the subpoena can lead to civil penalties and/or suspension and debarment from federal contracting.
Placing it into Apply: Reporting necessities is not going to be efficient instantly, however firms that typically function in crucial infrastructure sectors ought to assessment the Act and proposed rulemaking when it’s launched to find out if they are going to be topic to the reporting necessities. Firms additionally could think about submitting feedback on the proposed rule to take part within the rulemaking course of and reviewing their incident response plans for potential updates to be made primarily based on the brand new guidelines.