On April 4, 2024, the US Cybersecurity and Infrastructure Security Agency (“CISA”) published a Notice of Proposed Rulemaking (“Proposed Rule”) associated with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The proposed draft rule, coming in at 133 pages in the Federal Register, would establish two separate incident reporting requirements for companies that are a part of the US critical infrastructure. While the proposed rule, if adopted, would impact entities in many different contexts, we focus here on the potential impacts to government contractors and subcontractors.
Key Takeaways
- The proposed rule would expand reporting obligations broadly to entities that are part of the US critical infrastructure. Using a size and sector based evaluation the proposed rule would subject an estimated 316K entities to its reporting requirements.
- Under the proposed rule a “covered cyber incident” is reportable to CISA. What constitutes a “covered cyber incident” is likely to be hotly debated and difficult to discern, being determined by a case-by-case and fact specific impact analysis of the event, ancillary effects, disruption of business, and root cause.
- Generally, reporting to CISA would be required within 72-hours for a covered cyber incident (defined below) and 24-hours for any ransom payment to a threat actor.
- Four exceptions to this reporting requirement are proposed, the most relevant being when CISA maintains an information sharing agreement with an agency that also requires substantially the same timeline and similar reporting of a cyber incident.
The definition in the proposed rule that establish what “covered entities” would be impacted, the reporting obligations imposed on covered entities, what constitutes a “covered cyber incident,” the reporting exceptions, and foundational compliance measures are discussed below. In approaching these subjects, we focus on the implications for government contractors and subcontractors.
See the full article on dentons.com
