Over 300,000 critical infrastructure entities in 16 sectors could soon be required to report breaches to the federal government, greatly expanding the regulatory purview of the Cybersecurity and Infrastructure Security Agency (CISA).
In April, CISA began soliciting public comment on its plan to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the federal law behind the proposed expansion. After comments closed on July 3, CISA has up to 18 months to finalize and implement the regulations.
IT Brew recently spoke with several experts for their thoughts on what operators should be preparing for at this juncture in the rulemaking process.
New obligations. The 447-page proposal currently requires covered entities to report four types of incidents within 72 hours, mainly relating to serious incidents that result in substantial impact on operations and/or loss of data, or involve compromise via a third party such as a vendor. It also requires reporting of ransomware payments.
The proposal does provide examples of each type of breach. Yet Stephen Lilley, a partner at law firm Mayer Brown who specializes in security and data privacy issues, said some ambiguity around reporting thresholds will remain until CISA defines it in practice.
CIRCIA also requires CISA to coordinate with other federal agencies to identify where redundant or duplicate rules might exist, which could result in shifting obligations.
“Realistically, no matter how good the rule is, there’s probably going to be some ambiguity down the road,” Lilley told IT Brew.
Anand Oswal, SVP and general manager of network security at Palo Alto Networks, advised smaller entities with limited cybersecurity resources to consider a platform-centric approach using third-party services.
“This affects 16 different sectors—communication, healthcare, food, utilities, etcetera, which is very broad,” Oswal told IT Brew.
Many in those sectors are “not the most agile organizations,” he added. “They’re not the high tech companies that we know that can move really fast.”
Covered entity? CISA has projected that over 300,000 entities will be subject to reporting requirements under the final rule. While there’s no question of whether larger entities like water systems and nuclear power plants fall into that group, the vast majority are smaller organizations, some of which may struggle to determine their status.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Lilley said organizations should consult resources like sector coordinating councils and trade associations, while CISA’s implementation plans include an outreach campaign. Beyond that, he said many should consult an attorney to determine their status—which might not be immediately obvious in sectors with sprawling supply chains, like defense.
“If you’re a small business that happens to be a supplier to a supplier to a military contractor, these are harder questions and more burdensome questions to work through,” Lilley said.
One way organizations can prepare more generally is to ensure they have an incident response plan with a budget and training programs in place, Alex Rose, director of government partnerships at security firm Secureworks, advised. Otherwise, they might find themselves scrambling to catch up after an incident.
“Who are you going to call?” Rose told IT Brew. “Who’s going to do your reporting?...Are you going to use your incident response organization to do it? If you have an incident, do you have the budget in place to do the log retention?”
Moving forward. Expect a clearer picture sometime after July 3, when CISA will begin reviewing public comments. Lilley and Rose said they expected most of the proposal to survive into the final rule, though it could make tweaks in response to industry criticism that the rule is overreaching.
“I think there’s no doubt that this is going to create a burden for companies,” Lilley said. “The question is, is that burden justified by the benefits that will flow from this rule? It’s a really key question that CISA hopefully can help answer in the rulemaking and then prove in the future.”
One possible twist could be a change in the political tides after the presidential election, as a Trump administration is expected by some to take a different view on CISA’s jurisdiction and purpose. Trump, as president, had conflict with the agency, including sacking its then-chief Chris Krebs in 2020, and may try to limit its regulatory authority. Republicans in Congress have also targeted the agency for budget cuts.