CISA's proposed framework for cyber incident reporting rules includes subpoena power


The rules also require that covered entities that pay ransomware hackers to regain control of their systems and data must report such payments to the Cybersecurity and Infrastructure Security Agency.

The Cybersecurity and Infrastructure Security Agency on Wednesday released a long anticipated framework outlining mandatory cyber incident reporting rules.

The document, set to publish April 4, sets rules implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA, which mandates that critical infrastructure entities targeted by ransomware or other cyber incidents report them to CISA in a timely manner.

CISA says the law would allow officials to rapidly deploy resources and assistance to victims suffering cyberattacks and quickly share that information to warn other potential targets.

"CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” said CISA Director Jen Easterly in a statement. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”

Under the law, general cyber incidents must be reported to CISA within 72 hours, while ransomware attacks must be reported within 24 hours. Some 316,000 entities are expected to be affected by the measure, which will cost around $2.6 billion over the next decade, according to the blueprint.

The rule mandates that entities who pay ransoms to hackers that hold their data or systems hostage must also report the payment to CISA. Organizations that report incidents via CIRCIA will also need to hold onto the data used to report the incident for at least two years. Federal agencies that already report related incidents under requirements of  the Federal Information Security Management Act, or FISMA, are exempt from the measure. 

CISA is also permitted to issue information requests about organizations covered in the law who may not have complied with the timing requirements. Specifically, CISA can issue a subpoena to compel information disclosure, and can refer the inquiry to the Justice Department if entities fail to comply. In extreme cases, noncompliance could lead to contracting suspensions with DHS.

A final rule is expected to be published around 18 months after the comment period closes in early June, according to a senior CISA official who briefed reporters. 

The comment period invites individuals and critical infrastructure operators to provide feedback about how the agency should best develop the rules. The goal of the process is to make “exceedingly clear” what entities are covered by the law, said the senior official. Those could include infrastructure operators responsible for manning pipelines, water treatment facilities and electricity grids, among other areas.

The rule, once it takes effect, is likely to substantially increase the volume of data available about cyberattacks on organizations. Certain sector-focused agencies like the Federal Communications Commission and the Securities and Exchange Commission have already mandated rules requiring more transparency from certain firms about cyber incidents targeting their businesses.