Signed into law by President Biden in March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 is a federal legislation that requires all critical infrastructure entities to report Cybersecurity incidents and Ransomware attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within a specific timeframe.1
CIRCIA aims to improve reporting of cyber incidents, which is vital for critical infrastructure businesses to protect the country’s essential services and facilities.
What Is Considered A Cyber Incident?
CISA proposes to define a cyber incident as an event that threatens the integrity, confidentiality, or availability of information on a computer system, or threatens the system itself, without proper legal permission.
There are two types of incidents: covered cyber incidents and substantial cyber incidents.
1. Covered Cyber Incident
Under CIRCIA, Congress defines a covered cyber incident as a substantial cyber incident that meets the criteria set by the Director.
CISA believes that including all substantial cyber incidents as covered is the simplest and most consistent approach. This way, a covered entity only needs to check if an incident is substantial enough to report it, without needing to analyze additional criteria.
Since the term “substantial cyber incident” is only used to help define covered incidents in CIRCIA, CISA sees no advantage in having separate requirements for the two types.
2. Substantial Cyber Incident
CISA defines a substantial cyber incident as an event that causes any of the following:
- A major loss of confidentiality, integrity, or availability of a covered entity’s information system or network.
- Significant harm to the safety and reliability of a covered entity’s operations.
- Disruption of a covered entity’s business activities or ability to deliver goods or services.
- Unauthorized access to a covered entity’s information system or sensitive data, which may occur through compromises involving cloud service providers, managed service providers, third-party data hosts, or supply chains.
CISA also states that any cyber incident causing these impacts, regardless of the cause, qualifies as a substantial cyber incident. This includes incidents like attacks on cloud service providers, denial-of-service attacks, Ransomware attacks, and the exploitation of zero-day vulnerabilities.
Which Critical Infrastructure Needs to Report A Cyber Incident?
An entity must be part of a “critical infrastructure sector,” which is defined in Presidential Policy Directive 21. 6 U.S.C. 681.
These sectors are outlined in the National Critical Functions framework. Under CIRCIA, all these “covered entities” (public and private) in critical infrastructure sectors must follow the new reporting requirements.
- Chemical Sectors
- Communications
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services Sector
- Energy
- Financial Services
- Government Facilities
- Healthcare & Public Sector
- Information Technology
- Nuclear Reactors, Materials & Waste
- Transportation Systems
- Water & Wastewater Systems
Sectors Without Proposed Reporting Criteria from CISA
CISA does not suggest any specific criteria for reporting cyber incidents in the following sectors:
- Commercial Facilities
- Entertainment and media
- Gaming
- Lodging
- Outdoor events
- Public assembly
- Real estate
- Retail
- Sports leagues
- Dams
- Food & Agriculture
- Supermarkets
- Grocery stores
- Other food outlets
- Food manufacturers
- Food processors
- Warehouses
Instead, those sectors can use general guidelines or other existing regulations when reporting cyber incidents.
What Are The CIRCIA Reporting Requirements?
Covered entities have two main reporting obligations:
1. Types of Incidents to Report
- Any covered cyber incident that disrupts operations or poses a threat to critical infrastructure.
- Ransom payments made in response to Ransomware attacks.
2. Reporting Timeframes
- Covered entities must report incidents within 72 hours after reasonably believing a covered cyber incident has occurred. CISA will define what “reasonable belief” means, whether it’s based on confirming an incident or just a potential cyber incident.
- Ransom payments must be reported within 24 hours after the payment is made.
Once CISA receives incident reports, it must share them with the relevant federal agencies within 24 hours. If a federal agency gets the report first, it must also notify CISA within 24 hours.
Three main initiatives come from the proposed ruling:
1. Cyber Incident Reporting Council
The Department of Homeland Security (DHS) will create and lead the intergovernmental Cyber Incident Reporting Council to “coordinate the federal government cybersecurity and mitigation efforts more effectively, as intended by the act.”
2. Joint Ransomware Task Force
This task force is part of a nationwide effort by CISA to combat Ransomware attacks, working alongside the Federal Bureau of Investigation (FBI) and the National Cyber Director.
3. Ransomware Vulnerability Warning Pilot Program
In line with the proposed ruling, CISA is set to establish this pilot program to identify security vulnerabilities in the 16 critical infrastructure sectors related to Ransomware. Once CISA finds the affected systems, their regional Cybersecurity staff will inform the system owners, allowing “timely mitigation” to prevent further damage.
Note: CIRCIA’s reporting guidelines may change before their official release in October 2025.
FAQ
What Is The CIRCIA Reporting Rule?
The CIRCIA Proposed Reporting Rule requires you to report any Cybersecurity incidents or Ransomware attacks to the CISA within specific timeframes. If you’re in a critical infrastructure sector, you must notify CISA within 72 hours of believing an incident has occurred, and within 24 hours if a Ransomware payment is made.
What Is A Cyber Incident Report?
A cyber incident report is a document you submit to the CISA when you experience a cybersecurity event, like a data breach or Ransomware attack. It includes details about the incident, such as what happened, which systems were affected, and how it impacts your operations.
How Will CIRCIA’s Reporting Requirements Affect Your Business?
The CIRCIA reporting requirements will affect your business by making you responsible for reporting any cyber incidents to the CISA within set timeframes. This means you’ll need to be prepared to quickly gather details and submit reports. The 2Secure Corp team stays updated on regulatory changes and compliance, ensuring your business meets these new requirements and remains protected against cyber threats.
Source:
- Federal Register:: Request Access. (n.d.). Unblock.federalregister.gov. https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements
