CISA Issues Request for Information on CIRCIA

The Cybersecurity and Infrastructure Security Agency (CISA) is seeking information from the public in support of its  development of proposed regulation as required by the recently passed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). 

CIRCIA was signed into law in March of 2022 as part of the Consolidated Appropriations Act. The Act directs CISA to develop cyber incident reporting regulations for covered entities. The wording of the Act is intentionally vague as to allow for CISA to determine the most appropriate path forward for reporting regulations. CISA has now put forth a request for public comment seeking industry insight that will be used in making requirements as appropriate and effective as possible.

While CISA is accepting information for all aspects of CIRCIA including requirements to report descriptions of exploited vulnerabilities, enforcement, and information protection policies, it is most interested in getting practical input to use in interpreting important terms to be used throughout final regulations.

CISA outlines several topics for commenters, including the following:

• Definitions and Scope: meaning of “covered entity,” meaning of “covered cyber incident” and “substantial cyber incident,” how often covered incidents are likely to occur within a specific industry, number of ransomware payments made on an annual basis, and meaning of “supply chain compromise”
• Report Contents and Submission Procedures including how covered entities should submit reports and information that should be in the reports and if/how those reports should  be different for reporting ransom payments; what constitutes as “reasonable belief;” when should ransom payments be considered “made” to set off the 24 hour countdown; supplemental reports; and preservation requirements
• Other Reporting Requirements and Vulnerability Information Sharing: other existing or proposed federal/state regulations that overlap with CIRCIA’s requirements; what federal entities receive cyber incident reports from covered entities; time and cost associated with report filing; and cost of data retention related to cyber incidents
  

CISA makes it clear that this list is not exhaustive and welcomes any relevant information the public may provide.

Written comments must be received by November 11, 2022 online through the Federal eRulemaking Portal (www.regulations.gov). CISA will also hold 11 public listening sessions. The dates, times, and locations for these can be found here.

For further information contact  Todd Klessman, CIRCIA Rulemaing Team Lead, CISA, circia@cisa.dhs.gov, 202-964-6869