CISA publishes 447-page draft of cyber incident reporting rule

The nation’s top cybersecurity agency has unveiled the initial draft of a new rule detailing how critical infrastructure organizations need to report cyberattacks to the federal government. 

The Cybersecurity and Infrastructure Security Agency (CISA) posted the 447-page set of regulations under the Cyber Incident Reporting for Critical Infrastructure Act to the Federal Register, allowing the public to comment on it.

The law mandating the rules was passed in 2022 and is intended to improve the government’s ability to track incidents and ransomware payments. Secretary of Homeland Security Alejandro Mayorkas said the information will allow CISA and other agencies to better respond to incidents and identify weak points in the U.S. critical infrastructure.

“CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents, and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors,” Mayorkas said. 

“The proposed rule is the result of collaboration with public and private stakeholders, and DHS welcomes feedback during the public comment period on the direction and substance of the final rule.”

CIRCIA mandates that certain critical infrastructure organizations report cyber incidents within 72 hours and ransomware payments within 24 hours. The incidents covered by the law include ones that “lead to substantial harm or pose a significant threat to the organization's ability to function or to national security, public health, or safety.”

The reports will be exempt from public disclosure laws and confidentiality is ensured, according to CISA. The agency designates 16 critical infrastructure sectors, including manufacturing, energy, financial services, healthcare, transportation and water utilities.

CISA estimates the cost of enforcing the rule would be $2.6 billion over the next 11 years — or about $230 million each year — with $1.4 billion in cost to industry and $1.2 billion in cost to the federal government. 

Estimates from the agency said there will be more than 316,000 entities affected who will “collectively submit an estimated total of 210,525 CIRCIA Reports over the next decade.”

CISA has sought more funding — including $116 million for fiscal 2025 — to fully staff the incident reporting office but noted to reporters that recent appropriations have come in at less than the Biden administration requested. Officials said they  are still working through ways to deal with the budget shortage and are in the process of upgrading the technological infrastructure needed to handle the influx of reports. 

But an official noted that CISA already receives similar reports from certain industries and has measures in place that can be simply ported over for CIRCIA. Certain industries, like pipelines, railways and airlines, already have to report some incidents to CISA — so the agency has already developed some of the muscle memory needed to not only take in reports but share them with the FBI and the agencies in charge of specific sectors. 

CISA Director Jen Easterly said the rule will allow the agency to take more coordinated action with the public and private sectors to address specific cyberthreats, calling it a “game changer.”

For months, CISA has sought to quell concerns that the reporting requirements will be burdensome, costly and duplicative considering other agencies and states have instituted incident reporting rules since CIRCIA was passed.

Much of the document is focused on exemptions, and CISA officials emphasized to reporters that they feel a responsibility to “action the information they receive” in order to “provide value back to the country and cybersecurity community.”

The reports submitted by attacked organizations will not be public but key, industry-wide information may be anonymized and released to warn the public of larger issues. 

The public will have 60 days to comment on the rule once it is officially published on April 4 before CISA revises it and makes it official at some point in the next 18 months, officials told reporters. 

Experts question delays, limited scope

Many cybersecurity experts working with the kind of companies that would have to submit reports under CIRCIA said they had mixed feelings on the initial draft. 

Cybersecurity expert Josh Corman, who led CISA’s COVID Task Force for two years, raised several questions about efforts by CISA to limit the kind of organizations regulated under the law.

The focus on large organizations ignores the pivotal role small companies play in many industries, he said, and the emphasis on exceptions is “complex and harmful to intent.”

“We especially need ground truth in these lifeline, life safety sectors, some of whom tend to be smaller and most need timely help in the event of a disruption,” Corman said. “Even a five-person company can conform to this reporting obligation. Let’s not make over complex rules or deprive ourselves of visibility and risk reduction under false assumptions or exaggerations that this simple requirement would be egregiously burdensome.”

Many of the country’s hospitals and medical device firms are below the size threshold outlined in CIRCIA, he said, prompting questions about efforts by businesses and organizations to limit the scope of the incident reporting rules. The rule says only hospitals with over 100 beds will be covered by the rule, which Corman says would exclude the vast majority of medical facilities. 

Corman questioned what would happen if ransomware gangs, either by accident or on purpose, solely went after hospitals or medical device makers under the threshold. The data would be flawed, and he suggested there should be a stratification where smaller organizations still have to submit incident reports but more simplified ones than those required for large organizations. 

“Everyone's initial instinct on the defense side if they're in critical infrastructure is to find ways to avoid having to do this. And when defenders make it hard to get ground truth on our national collective defense, we only benefit and advantage our adversaries,” he said. 

“The default instinct to exclude yourself or limit yourself is harmful to our own collective interests, and continues and is palpably present in the review of the comments and seeing how CISA chose to embrace those comments.”

Ransomware provisions

GuidePoint Security operational technology security strategist Chris Warner told Recorded Future News that he was heartened by the inclusion of measures tracking ransomware payments, which are difficult to compile without companies being forthright about them. 

But Warner questioned what will happen when critical infrastructure organizations don’t report an incident — either because it has been contained or stopped – that is subsequently revealed publicly by ransomware gangs or news outlets. 

“CISA and other government bodies offer crucial support during cyberattacks, but compliance demands strain financial, and personnel resources needed to secure IT and operational technologies (OT) like energy, water, and healthcare systems,” he said. 

“This legislation has the potential to increase support from government agencies during and after a cyber-attack. It includes assistance throughout the incident and in compiling an after-action report, which outlines the attack's details, the measures taken in response, and potential strategies that could have prevented the incident.”

Scott Algeier, executive director of the Information Technology-Information Sharing and Analysis Center (IT-ISAC), said the organization plans to work with CISA to ensure that the final regulations “do not divert resources to compliance requirements that have no clear security benefit.” 

“Ensuring that mandatory reporting is limited to actual security incidents of consequence is essential so as to not burden reporting companies or government analysts,” he said. 

Viakoo vice president John Gallagher noted that there will need to be clear definitions of what organizations are covered so that cyber insurance providers can work with critical infrastructure organizations and leverage these guidelines to base underwriting decisions. 

Plans from 2015

Corman took issue with the sector-specific plans outlined in CIRCIA. The document cites data and information from reports made in 2015 outlining the size and leading companies in each industry. 

Corman questioned why documents made nearly a decade ago were being used by sector risk management agencies to understand specific industries that have likely evolved significantly since then.  

“I think we've learned a lot since the 2015 sector specific plans and to use that as the basis for how we may determine sector specific topic entities is outrageous to me,” he said. “It is not the size of the organization, but rather the size of the impact of harm to national critical infrastructure. It is a facile cut off to say we're gonna do it based on size versus on impact.”

The danger, according to Corman, is that any data collected would be flawed, potentially prompting legislation from Congress that would be based on erroneous trends. 

He added that there should be a higher threshold, regardless of size, for organizations involved in basic human needs like water, food, oil and gas, electricity and emergency care. 

“Things that if you shut them off for 24 to 48 hours, people die,” he said. 

Corman also took issue with the lack of urgency around the rule, noting that the law was passed in the wake of the ransomware attack on Colonial Pipeline, yet it took nearly three years for the effort to produce results.

The recent revelations around China’s Volt Typhoon campaign targeting U.S. critical infrastructure are an example of why this effort needed to be sped up, he added, warning that the rule may be hampered further by organizations attempting to avoid the reporting requirement altogether.  

“We have not matched the urgency of the passage of the law with the urgency of the timeline for its implementation. [The law was] both simple and urgent and yet they came back three years after the Colonial incident and it's 447 pages,” he said “So something that was urgent and simple did not demonstrate simplicity in its initial response.”