Earlier this month, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act. The purpose of the Act is to facilitate the hardening of the defenses of key U.S. infrastructure against cyber attacks. As the Act’s name suggests, it aims to fulfill this purpose primarily by establishing various reporting requirements, rather than by mandating any particular cybersecurity controls.
What Does the Act Do?
The Act requires that covered “critical infrastructure companies” must deliver a report within 72 hours of certain cyber incidents to the National Cybersecurity and Infrastructure Security Agency (CISA). Those same companies are also required to file a report with CISA within 24 hours of making a ransomware payment. The covered entity may produce the required reports itself, or may instead engage a third party such as an incident response company or law firm. Information reported to CISA under the Act is exempted from the Freedom of Information Act (and state counterparts) and is protected from discovery in litigation and from use at trial.
CISA, in turn, will “receive, aggregate, analyze, and secure” these reports in order “to assess the effectiveness of security controls, identify tactics, techniques, and procedures adversaries use to overcome those controls.” CISA will share its information and analysis with government and private stakeholders, including actionable recommendations on ways in which to identify and mitigate the threat from known cyber exploits. At a minimum, this reporting will include quarterly unclassified reports available to the public, as well as monthly briefings of congressional leadership and relevant committees. The information contained in these reports will be anonymized.
What Remains to be Done?
Quite a bit. The Act leaves many details to be filled in through the rulemaking process. For instance, the Act does not define which entities are considered “critical infrastructure companies” covered by the Act, nor does it define the type of cyber event that triggers reporting requirements. CISA will also have to develop principals guiding its determination of how and when to share information, what type of information to share, and with whom. CISA is not required to issue proposed rules for two more years, and is not required to issue final rules until another 18 months after that.
What Does the Act Mean for You?
Entities likely to be considered “critical infrastructure companies” should engage with the rulemaking process to ensure that their operational requirements are taken into consideration. At the same time, they must review their own controls and procedures — particularly incident response plans — to ensure they are able to meet the Act’s reporting requirements.
The Act also has implications for entities unlikely to be considered “critical infrastructure companies.” Bad actors more interested in money than geopolitics often choose victims they think will offer the least resistance. The Act will provide valuable information that can help any entity better understand and react to the threat landscape. Those that don’t act on this information and harden their defenses will become softer targets relative to their peers, and are more likely to attract the unwanted attention of cyber criminals.