On Tuesday, March 15, President Biden signed the Consolidated Appropriations Act of 2022 (H.R.2471) into law. Division Y of the act is titled the "Cyber Incident Reporting for Critical Infrastructure Act of 2022" (a.k.a., "Cyber Incident Reporting Act"). As the title implies, the act has created new cyber incident reporting requirements for businesses who are deemed to be part of America's "critical infrastructure" sectors.
In this article, we will dive into the requirements of the act and discuss answers to questions, like:
- Where did the act originate?
- Which businesses are considered "critical infrastructure?"
- How does the act define "cyber incident?"
- What are the new cyber incident reporting requirements?
- Does the act align with existing cyber incident reporting requirements?
- What am I expected to do to comply?
- What will be changing in Tandem?
Where did the act originate?
The Consolidated Appropriations Act of 2022 was introduced into the House of Representatives on April 13, 2021. However, the Cyber Incident Reporting Act text was not added to the act until the Engrossed Amendment House (EAH) on March 9, 2022, six days before the act was signed into law.
The Cyber Incident Reporting Act text originated with another act titled the "Strengthening American Cybersecurity Act of 2022" (S.3600). Essentially, Congress copied Title II from S.3600 and pasted it into Division Y of H.R.2471, giving us the act as we now know it.
Which businesses are considered "critical infrastructure?"
The new law defines the term "critical infrastructure" using the definition from Presidential Policy Directive 21. As summarized by the Cybersecurity and Infrastructure Security Agency (a.k.a., "CISA" or "the Agency"), these sectors include:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
If you are a business who would fall under one of these categories, then the new law does apply to you.
How does the act define "cyber incident?"
The act defines a "cyber incident" as:
"An occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information [or] an information system."
For those of you interested in the legal jargon, the definition is nearly identical to the legal definition of "incident" established in 6 USC 659(a), except that it leaves out the concept of "imminent" jeopardization and focuses only on "actual" compromise.
In Section 2242(c)(2), the act goes on to describe several examples of "substantial" cyber incidents which would be subject to the new act. These incidents include denial-of-service (DoS) attacks, ransomware attacks, exploitation of zero-day vulnerabilities, and the compromise of third parties (e.g., cloud service providers, managed service providers, supply chain, etc.).
In short, the definition is very broad and could apply to nearly any incident which causes "actual" harm to the organization and/or to the organization's customers.
What are the new cyber incident reporting requirements?
In simplest form, there are two new reporting requirements:
- The first is a report to CISA within 72 hours of believing a cyber incident has occurred.
- The second is a report to CISA within 24 hours of making a ransomware payment.
While there are details regarding what must be included in each report, the act does not provide any further detail regarding how these reports are to be made. Instead, the act tasks the CISA Director to partner with other agencies to publish a Notice of Proposed Rulemaking in the Federal Register within 24 months of the act being signed into law.
Does the act align with existing cyber incident reporting requirements?
Not necessarily, but there is hope.
- Section 104(a) requires federal agencies to report cyber incidents affecting their regulated entities to CISA within 24 hours. In cases where certain organizations are required to report incidents to their regulator (e.g., the new incident notification rule for banks), this requirement could be leveraged to the organization's benefit, if the regulator can file the report on their behalf.
The current problem is that the definitions for "incident" do not always align. For example, incidents CISA require to be reported are much broader than incidents the federal banking agencies require to be reported under the new incident reporting rule. So, there would need to be some standardization involved, which is a perfect segue to…
- Section 104(b), where the agencies have now been tasked with the responsibility of reviewing and harmonizing cyber incident reporting requirements. They are not only supposed to avoid "conflicting, duplicative, or burdensome requirements," but they are also supposed to "identify opportunities to streamline reporting processes." I think it is safe to say, we will all be looking forward to seeing how this turns out.
What am I expected to do to comply?
Legally, there is nothing you are expected to do to comply. You will not be required to take any action until the Notice of Proposed Rulemaking is published in the Federal Register at some point within the next two years.
CISA will be conducting an outreach program (per Section 2242(e)) to communicate with affected entities regarding topics related to the final rule, including how to submit the required reports.
- A list of "10 Key Elements to Share."
- Examples of the types of incidents which should be reported.
- Contact information, including:
While reporting to CISA is not currently required, CISA encourages businesses to "voluntarily share information about cyber-related events that could help mitigate current or emerging cybersecurity threats to critical infrastructure."
What will be changing in Tandem?
Once the final rule is published in the Federal Register, applicable features in Tandem will be updated to include the required notification, including our Incident Management Communication Guidelines, as well as our Incident Management Policy. All changes will be published to the Software Updates blog.
Additionally, this article will be updated as new information becomes available, so be sure to check back for the latest status updates.
At Tandem, it is our goal to ease the burden of regulatory compliance. If you do not use Tandem and would like to see how we can help, not just with this new act, but with GLBA compliance and beyond, visit our website at Tandem.App.
- 04/21/2022 - Updated to include CISA's Guidance on Sharing Cyber Incident Information.