Home Web system What Critical Infrastructure Should Do: Mandatory Cybersecurity Incident Reporting for Critical Infrastructure...

What Critical Infrastructure Should Do: Mandatory Cybersecurity Incident Reporting for Critical Infrastructure Is Coming and CISA Encourages Voluntary Reporting Now | Orrick, Herrington & Sutcliffe LLP


On April 7, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a “Cyber ​​Event Information Sharing” factsheet that may provide insight into its implementation of the new incident reporting requirement. Federal Government Cyber ​​Incident Reporting Act March 15 – The Cyber ​​Incident Reporting for Critical Infrastructure Act of 2022 (Section Y of the Consolidated Appropriations Act). Many key details of the reporting requirement are subject to future rulemaking by CISA, including the critical infrastructure organizations to which the reporting requirements will apply; which cyber incidents must be reported (that is to say, “substantial” cybersecurity incidents); what information critical infrastructure organizations will need to report; and reporting mechanisms. The critical infrastructure industry has time to prepare as the reporting requirement will not come into effect until the rulemaking process is complete, although CISA is now encouraging voluntary reporting. Although the proposed rules must be published as the rules are developed within 24 months, with the final rule expected 18 months later, organizations should anticipate that the CISA will act more quickly and that the final rule could be published from the beginning of 2023.

CISA Statutory Framework and Recommendations for Current Reports under its Fact Sheet

The law provides a framework that paints a picture of what can be expected when the reporting requirement becomes mandatory. Although CISA has not yet begun the rulemaking process, CISA’s fact sheet provides recommendations for self-reporting now.

The law also imposes an obligation to retain data relating to the covered incident or ransom payment in accordance with the final rule.

Enforcement mechanism

The Act includes an enforcement mechanism, which is new for CISA which previously had no enforcement and/or subpoena powers. He now gets both. Specifically, if the CISA Director has reason to believe that a Covered Entity has not submitted the required report, the Director may obtain information about the Covered Cyber ​​Incident or ransom payment by directly engaging the Entity. covered. If after 72 hours no response or an inadequate response is received, CISA may request the information via subpoena. If an entity fails to comply with a subpoena, the CISA may refer the case to the Attorney General for civil action. The enforcement and subpoena powers do not apply to Covered Entities that are state, local, tribal, or territorial government entities.

If the Director determines that information provided in response to a subpoena may be grounds for regulatory or criminal action, he may provide that information to the Attorney General or the head of the appropriate regulatory agency. However, information contained in a voluntary report or in response to a direct request from CISA cannot be used as the basis for such actions.

Information Sharing Provisions

Information received in reports will be processed and shared by CISA with a number of different groups.

Federal government: Within 24 hours of receiving a report, CISA must make the information available to “appropriate industry risk management agencies and other appropriate federal agencies.” This inter-agency sharing is subject to specific requirements to be set by the President, including which agencies should be included in the information sharing. The FBI and the Department of Justice, which had expressed frustration at not being included as direct recipients, will likely receive reports through this provision. The information in the reports may also be shared with federal departments and agencies to identify and track ransom payments. CISA will provide a monthly briefing to congressional leaders regarding the national cyber threat landscape.

Information Sharing Groups: Anonymized information about context, threat indicators, and defensive measures will be shared with cyber information-sharing groups, such as state and local governments, cyber incident response companies, and security researchers.

Critical Infrastructure Owners and Operators: Reported information may be shared, on a voluntary basis, among relevant Critical Infrastructure owners, particularly where such information relates to ongoing threats, security vulnerability, or mitigation techniques that can enable entities to prevent cyber incidents.

General public: CISA can use information from significant incidents, including ransomware attacks, and “identify and disseminate ways to prevent or mitigate similar incidents in the future.” An unclassified public report will be released quarterly with “aggregated and anonymized findings, conclusions, and recommendations.”

Protections of Reported Information

The Act provides for the protection of reported information in various contexts. The use of information obtained solely through reports submitted under the Regulating Entity Act is prohibited. The submission of a report cannot be used as the basis of a cause of action. Reports and documents relating to their preparation, drafting or submission are not subject to disclosure and may not be received as evidence in any trial or proceeding. Reporting will not constitute a waiver of any applicable privilege or protection provided by law. Information contained in a report may be designated as the business, financial and proprietary information of the covered entity. Reports will not be subject to Freedom of Information Act requests or any other public disclosure provision.

What Critical Infrastructure Should Do Now

Although the CISA has not formally begun the rulemaking process that will make the reporting provisions mandatory, organizations are expected to do so immediately.

  • Consider whether, based on the guidelines published to date, they are part of “critical infrastructure”.
  • Determine if and when self-reporting might be appropriate before the requirement becomes mandatory.
  • Stay informed of the rulemaking process and consider submitting comments during the rulemaking process to provide feedback on any concerns arising from the proposed reporting requirements and mechanisms.
  • Review the company’s incident response plan and develop a strategy with internal and external incident response resources to operationalize a 72-hour reporting requirement (24 hours when a ransom payment is made) and a complete reports quickly.
  • Analyze vendor and vendor cyber incident reporting requirements and consider revisions for key entities.

Orrick’s Cyber, Privacy, & Data Innovations team is ready to help critical infrastructure entities review their cybersecurity programs in light of this announced reporting framework and design practical, forward-thinking strategies to facilitate reporting compliance.

[1] Subject to regulation by CISA.

[2] Subject to regulation by CISA.

[3] Subject to regulation by CISA.

[4] Subject to regulation by CISA.

[5] Subject to regulation by CISA.