Two years ago, President Biden signed into law a bipartisan bill enacted by Congress requiring “critical infrastructure entities” to report “cyber incidents” to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), ransomware payments and any substantial, new or different information discovered related to a previously submitted report to CISA. Known as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), this law was criticized by some critical infrastructure sector entities as overly broad, burdensome, and duplicative of existing requirements while making its way through the legislative process.
While some modifications were made to address those concerns before passage by Congress in March 2022, lingering questions remain post-enactment. CISA’s recently released proposal to implement the legislation attempts to clarify industry obligations under this new reporting regime. While CISA’s proposed rulemaking does clarify certain elements of the law’s implementation, it creates questions about others.
On April 4, 2024, CISA published for comment a Notice of Proposed Rulemaking (NPRM) on CIRCIA, with comments due by June 3, 2024. The complexity and length of the NPRM mean that the details are still being evaluated by the impacted sectors. While this deeper analysis is ongoing, it’s important to highlight several areas of interest, and to encourage not only the owners and operators in the impacted sectors to pay attention to this rulemaking and its eventual implementation, but to ensure vendors and service providers understand the implications of the NPRM – and to weigh in if they believe changes should be made.
CIRCIA was passed by Congress in early 2022 and signed into law by President Biden in March of that year. CISA subsequently initiated a “Request for Information,” which concluded in November 2022. CISA also led interagency efforts to begin developing a framework for the legislation during this time. CISA was required to publish the Notice of Proposed Rulemaking (NPRM) prior to the end of March 2024, just missing that deadline by a few days. As noted above, comments are due on June 3, 2024. However, a coalition of industry groups, including the Edison Electric Institute, the U.S. Chamber of Commerce, and the Utilities Technology Council, has asked for an extension of that deadline.
CISA is specifically seeking comments on both the practical and policy issues related to the implementation, especially those that were requested by Congress and/or in the responses from industry to the RFI, like: definitions, coverage/scope, reporting requirements and procedures, report submission deadlines, and enforcement procedures.
While CISA estimates an overall cost of $2.6 billion to industry to implement this law, the NPRM also highlights several perceived benefits:
Despite these purported benefits and as mentioned above, this is a complex endeavor with opportunities to derive these benefits, but also the potential to cause unintentional harm or confusion. For example, duplicative reporting requirements are not fully addressed in the NPRM, although CISA commits to doing so:
"CISA acknowledges the potential for the inclusion of this criterion to create an additional reporting obligation on entities already required to report cyber incidents to the Federal government. CISA is committed to working with DOE, FERC, and NERC to explore the applicability of the substantially similar reporting exception to enable, to the extent practicable, entities subject to both CIRCIA and CIP Reliability Standards or Form OE-417 reporting requirements to be able to comply with both regulatory reporting regimes through the submission of a single report to the Federal government. Additional information on the substantially similar reporting exception can be found in Section IV.D.i in this document."
In addition, state reporting requirements do not appear to be addressed in the NPRM, causing another potential for duplication.
CISA has attempted to clarify who is covered by the legislation, what is covered, and how the incident reporting will occur. The major buckets of covered entities are those owners and operators in the sixteen sectors identified as critical infrastructure in Presidential Policy Directive 21: 1) chemical; 2) commercial facilities; 3) communications; 4) critical manufacturing; 5) dams; 6) defense industrial base; 7) emergency services; 8) energy; 9) financial services; 10) food and agriculture; 11) government facilities; 12) healthcare and public health; 13) information technology; 14) nuclear; 15) transportation; and, 16) water and waste water systems. Most owners and operators within each sector are covered, with some small business and other limited exceptions. In the case of the electric sector, the Small Business Administration’s definitions apply unless a utility provides defense contracting services, provides emergency services, owns or operates a bulk electric and distribution entity, or qualifies as a state, local, Tribal or territorial government entity.
In terms of what is covered, the NPRM defines “substantial cyber incident” as follows (bold formatting added):
"While CIRCIA does not define the term substantial cyber incident, it provides minimum requirements for the types of substantial cyber incidents that qualify as covered cyber incidents. See 6 U.S.C. 681b(c)(2)(A). Consistent with these minimum requirements, CISA proposes the term substantial cyber incident to mean a cyber incident that leads to any of the following: (a) a substantial loss of confidentiality, integrity, or availability of a covered entity's information system or network; (b) a serious impact on the safety and resiliency of a covered entity's operational systems and processes; (c) a disruption of a covered entity's ability to engage in business or industrial operations, or deliver goods or services; or (d) unauthorized access to a covered entity's information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise. CISA is further proposing that a substantial cyber incident resulting in one of the listed impacts include any cyber incident regardless of cause, including, but not limited to, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; a ransomware attack; or exploitation of a zero-day vulnerability. Finally, CISA is proposing the term substantial cyber incident does not include (a) any lawfully authorized activity of a United States Government entity or SLTT Government entity, including activities undertaken pursuant to a warrant or other judicial process; (b) any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system; or (c) the threat of disruption as extortion, as described in 6 U.S.C. 650(22).[136]"
The bolded language in (d) could be problematic for the obvious reason that utilities may not immediately know the root cause of the incident – and such incident may be beyond their control -- yet they are on the hook to report quickly to the federal government. If a substantial cyber incident has occurred, CIRCIA itself (and the NPRM) requires covered entities to report:
The potential for this quick turnaround to cause “fog of war”-type confusion is high, especially before the facts are assessed, and could cause worse outcomes if foggy reporting serves as the basis for additional action.
Finally, in the NPRM, CISA proposes that a covered entity submit CIRCIA Reports through the web-based CIRCIA Incident Reporting Form on CISA’s website. There may be questions about cybersecurity of that portal itself as well as if such incidents are subject to FOIA.
While the leadership, legal and government relations teams of impacted CI sectors will determine the best way to weigh in with CISA on any concerns they have with the NPRM, operational-level staff can also take action in the interim. Given the broad applicability of CIRCIA, utilities of all sizes could take steps to prepare for its final implementation by inventorying their cyber assets (or auditing their inventories if they have already gone through that process), continuing to protect those assets and shoring up any identified gaps, and ensuring their capabilities and processes enable efficient and effective reporting of substantial cyber incidents when they do occur. Vendors and managed service providers will want to pay attention to this rulemaking, of course, and to work even more closely with their clients to align processes and create situational awareness in the event of a substantial cyber incident.
This blog is contributed by guest author Joy Ditto. Joy is an influential leader in the power industry and is a stragic advisor to Industrial Defender. Prior to launching her consulting firm, Joy served as president and CEO at the American Public Power Association, president and CEO of the Utilities Technology Council, and has held influential roles throughout the US Government focusing on energy and national security.