The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has unveiled new draft updated cyber reporting rules for critical infrastructure organizations.
In order to update its report on Cyber Incidents for Critical Infrastructure (CIRCIA) Law of 2022CISA has released the first draft of proposed new rules, which will be published in the Federal Register April 4.
These rules will apply to all U.S. defense contractors considered to operate critical infrastructure under DFARS clause 252.204-7012.
All organizations that fall under the 16 critical infrastructure sectors, as defined by CISA, will be required to report cyber incidents to the agency within 72 hours of their occurrence, under the legislation.
Additionally, ransom payments made in response to a ransomware attack must be reported within 24 hours of the ransom payment.
US Defense Contractors Must Report Dually to CISA and DoD
The new 447-page document outlines the steps “covered entities” should take when faced with a cyber incident or ransom demand.
This includes reporting to CISA in one of the following four situations:
- Substantial loss of confidentiality, integrity or availability
- Serious impact on the security and resilience of operational systems and processes
- Disruption of ability to engage in commercial or industrial operations
- Unauthorized access facilitated by or caused by a supply chain compromise or compromise of a cloud service provider (CSP), managed service provider (MSP), or other hosting provider third party data.
In the document, CISA suggests enforcement actions for misrepresentation or noncompliance, such as subpoenaing the entity or reporting it to the U.S. Department of Justice (DoJ).
Although CISA acknowledged that most – if not all – covered entities are already required to report the same incidents to the U.S. Department of Defense (DoD), the agency “nevertheless proposes to include them in the CIRCIA applicability section.” .
“This will ensure that the federal government receives the information necessary to identify cyber threats, exploited vulnerabilities, and techniques, tactics, and procedures (TTPs) that affect entities in this community and other interdependent critical infrastructure sectors, even if changes are made to what is required to be reported under the DFARS regulations, over which CISA has no authority,” the draft reads.
Covered entities have 60 days to provide comments to CISA on the proposed new rules.