Proposed Rule2024-06526
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
April 4, 2024
Issuing agencies
Homeland Security Department
Abstract
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), as amended, requires the Cybersecurity and Infrastructure Security Agency (CISA) to promulgate regulations implementing the statute's covered cyber incident and ransom payment reporting requirements for covered entities. CISA seeks comment on the proposed rule to implement CIRCIA's requirements and on several practical and policy issues related to the implementation of these new reporting requirements.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 66 (Thursday, April 4, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 66 (Thursday, April 4, 2024)]
[Proposed Rules]
[Pages 23644-23776]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-06526]
[[Page 23643]]
Vol. 89
Thursday,
No. 66
April 4, 2024
Part II
Department of Homeland Security
-----------------------------------------------------------------------
Cybersecurity and Infrastructure Security Agency
-----------------------------------------------------------------------
6 CFR Part 226
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
Reporting Requirements; Proposed Rule
��Federal Register / Vol. 89 , No. 66 / Thursday, April 4, 2024 /
Proposed Rules��
[[Page 23644]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
Cybersecurity and Infrastructure Security Agency
6 CFR Part 226
[Docket No. CISA-2022-0010]
RIN 1670-AA04
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
Reporting Requirements
AGENCY: Cybersecurity and Infrastructure Security Agency, DHS
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Cyber Incident Reporting for Critical Infrastructure Act
of 2022 (CIRCIA), as amended, requires the Cybersecurity and
Infrastructure Security Agency (CISA) to promulgate regulations
implementing the statute's covered cyber incident and ransom payment
reporting requirements for covered entities. CISA seeks comment on the
proposed rule to implement CIRCIA's requirements and on several
practical and policy issues related to the implementation of these new
reporting requirements.
DATES: Comments and related material must be submitted on or before
June 3, 2024.
ADDRESSES: You may send comments, identified by docket number CISA-
2022-0010, through the Federal eRulemaking Portal available at <a href="http://www.regulations.gov">http://www.regulations.gov</a>.
Instructions: All comments received must include the docket number
for this rulemaking. All comments received will be posted to <a href="https://www.regulations.gov">https://www.regulations.gov</a>, including any personal information provided. If
you cannot submit your comment using <a href="https://www.regulations.gov">https://www.regulations.gov</a>,
contact the person in the FOR FURTHER INFORMATION CONTACT section of
this proposed rule for alternate instructions. For detailed
instructions on sending comments and additional information on the
types of comments that are of particular interest to CISA for this
proposed rulemaking, see the ``Public Participation'' heading of the
SUPPLEMENTARY INFORMATION section of this document.
Docket: For access to the docket and to read background documents
mentioned in this proposed rule and comments received, go to <a href="https://www.regulations.gov">https://www.regulations.gov</a>.
FOR FURTHER INFORMATION CONTACT: Todd Klessman, CIRCIA Rulemaking Team
Lead, Cybersecurity and Infrastructure Security Agency,
<a href="/cdn-cgi/l/email-protection#6003091203090120030913014e0408134e070f16"><span class="__cf_email__" data-cfemail="8fece6fdece6eecfece6fceea1ebe7fca1e8e0f9">[email protected]</span></a>, 202-964-6869.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Public Participation
II. Executive Summary
A. Purpose and Summary of the Regulatory Action
B. Summary of Costs and Benefits
III. Background and Purpose
A. Legal Authority
B. Current Cyber Incident Reporting Landscape
C. Purpose of Regulation
i. Purposes of the CIRCIA Regulation
ii. How the Regulatory Purpose of CIRCIA Influenced the Design
of the Proposed CIRCIA Regulation
D. Harmonization Efforts
E. Information Sharing Required by CIRCIA
F. Summary of Stakeholder Comments
i. General Comments
ii. Comments on the Definition of Covered Entity
iii. Comments on the Definition of Covered Cyber Incident and
Substantial Cyber Incident
iv. Comments on Other Definitions
v. Comments on Criteria for Determining Whether the Domain Name
System Exception Applies
vi. Comments on Manner and Form of Reporting, Content of
Reports, and Reporting Procedures
vii. Comments on the Deadlines for Submission of CIRCIA Reports
viii. Comments on Third-Party Submitters
ix. Comments on Data and Records Preservation Requirements
x. Comments on Other Existing Cyber Incident Reporting
Requirements and the Substantially Similar Reporting Exception
xi. Comments on Noncompliance and Enforcement
xii. Comments on Treatment and Restrictions on Use of CIRCIA
Reports
IV. Discussion of Proposed Rule
A. Definitions
i. Covered Entity
ii. Cyber Incident, Covered Cyber Incident, and Substantial
Cyber Incident
iii. CIRCIA Reports
iv. Other Definitions
v. Request for Comments on Proposed Definitions
B. Applicability
i. Interpreting the CIRCIA Statutory Definition of Covered
Entity
ii. Determining if an Entity Is in a Critical Infrastructure
Sector
iii. Clear Description of the Types of Entities That Constitute
Covered Entities Based on Statutory Factors
iv. Explanation of Specific Proposed Applicability Criteria
v. Other Approaches Considered To Describe Covered Entity
vi. Request for Comments on Applicability Section
C. Required Reporting on Covered Cyber Incidents and Ransom
Payments
i. Overview of Reporting Requirements
ii. Reporting of Single Incidents Impacting Multiple Covered
Entities
D. Exceptions to Required Reporting on Covered Cyber Incidents
and Ransom Payments
i. Substantially Similar Reporting Exception
ii. Domain Name System (DNS) Exception
iii. Exception for Federal Agencies Subject to Federal
Information Security Modernization Act Reporting Requirements
E. Manner, Form, and Content of Reports
i. Manner of Reporting
ii. Form for Reporting
iii. Content of Reports
iv. Timing of Submission of CIRCIA Reports
v. Report Submission Procedures
vi. Request for Comments on Proposed Manner, Form, and Content
of Reports
F. Data and Records Preservation Requirements
i. Types of Data That Must Be Preserved
ii. Required Preservation Period
iii. Data Preservation Procedural Requirements
iv. Request for Comments on Proposed Data Preservation
Requirements
G. Enforcement
i. Overview
ii. Request for Information
iii. Subpoena
iv. Service of an RFI, Subpoena, or Notice of Withdrawal
v. Enforcement of Subpoenas
vi. Acquisition, Suspension, and Debarment Enforcement
Procedures
vii. Penalty for False Statements and Representations
viii. Request for Comments on Proposed Enforcement
H. Protections
i. Treatment of Information and Restrictions on Use
ii. Protection of Privacy and Civil Liberties
iii. Digital Security
iv. Request for Comments on Proposed Protections
I. Severability
V. Statutory and Regulatory Analyses
A. Regulatory Planning and Review
i. Number of Reports
ii. Industry Cost
iii. Government Cost
iv. Combined Costs
v. Benefits
vi. Accounting Statement
vii. Alternatives
B. Small Entities
C. Assistance for Small Entities
D. Collection of Information
E. Federalism
F. Unfunded Mandates Reform Act
G. Taking of Private Property
H. Civil Justice Reform
I. Protection of Children
J. Indian Tribal Governments
K. Energy Effects
L. Technical Standards
M. National Environmental Policy Act
VI. Proposed Regulation
List of Tables
Table 1: Affected Population, by Criteria
Table 2: Number of CIRCIA Reports, Primary Estimate
Table 3: Number of CIRCIA Reports
Table 4: Familiarization Cost by Entity Type, Primary Estimate
Table 5: Total Familiarization Costs ($ Millions, Undiscounted)
[[Page 23645]]
Table 6: Cost of CIRCIA Reporting
Table 7: Data and Record Preservation Costs
Table 8: Industry Cost Range, ($ Millions, Undiscounted)
Table 9: Total Industry Cost, Primary Estimate ($ Millions)
Table 10: Cost by Covered Entity Criteria, ($ Millions,
Undiscounted)
Table 11: Government Cost ($ Millions)
Table 12: Combined Industry and Government Cost, Primary Estimate ($
Millions)
Table 13: Combined Industry and Government Cost Range, ($ Millions)
Table 14: Summary of Cyber Event Losses and Counts, IRIS 2022
Table 15: OMB A-4 Accounting Statement ($ Millions, 2022 Dollars)
Table 16: Alternative 1 Industry Cost, Primary Estimate ($ Millions)
Table 17: Alternative 1 Combined Industry and Government Cost,
Primary Estimate, ($ Millions)
Table 18: Alternative 2 Industry Cost, Primary Estimate ($ Millions)
Table 19: Alternative 2 Combined Industry and Government Cost,
Primary Estimate ($ Millions)
Table 20: Alternative 3 Industry Cost, Primary Estimate ($ Millions)
Table 21: Alternative 3 Combined Industry and Government Cost,
Primary Estimate ($ Millions)
Table 22: Affected Population by Critical Infrastructure Sector
Table 23: Alternative 4 Industry Cost, Primary Estimate ($ Millions)
Table 24: Alternative 4 Combined Industry and Government Costs,
Primary Estimate ($ Millions)
Table 25: Alternatives Summary, Combined Industry and Government
Cost, Primary Estimate ($ Millions)
Abbreviations and Acronyms Frequently Used in This Document
ARIN American Registry for Internet Numbers
ATO Authority to Operate
BES Bulk Electric System
CFATS Chemical Facility Anti-Terrorism Standards
CFTC Commodity Futures Trading Commission
CHS U.S. House Committee on Homeland Security
CIA Confidentiality, Integrity, and Availability
CIP Critical Infrastructure Protection
CIRC Cyber Incident Reporting Council
CIRCIA Cyber Incident Reporting for Critical Infrastructure Act of
2022, as amended
CISA Cybersecurity and Infrastructure Security Agency
CSP Cloud Service Provider
DFARS Defense Federal Acquisition Regulation Supplement
DHS Department of Homeland Security
DNS Domain Name System
DOD Department of Defense
DOE Department of Energy
DOJ Department of Justice
EPA Environmental Protection Agency
ESA Educational Service Agency
FBI Federal Bureau of Investigation
FCC Federal Communications Commission
FDA Food and Drug Administration
FDIC Federal Deposit Insurance Corporation
FedRAMP Federal Risk and Authorization Management Program
FERC Federal Energy Regulatory Commission
FHFA Federal Housing Finance Agency
FICU Federally Insured Credit Union
FISMA Federal Information Security Modernization Act of 2014
FOIA Freedom of Information Act
FRB Federal Reserve Board
GAO Government Accountability Office
GCC Government Coordinating Council
GSA General Services Administration
gTLD Generic Top-Level Domain
HHS Department of Health and Human Services
HIPAA Health Insurance Portability and Accountability Act of 1996
HITECH Health Information Technology for Economic and Clinical
Health
HSGAC U.S. Senate Committee on Homeland Security and Governmental
Affairs
IANA Internet Assigned Numbers Authority
ICANN Internet Corporation for Assigned Names and Numbers
ICT Information and Communications Technology
IHE Institute of Higher Education
IP Internet Protocol
ISAC Information Sharing and Analysis Center
IT Information Technology
K-12 Kindergarten through 12th Grade
LEA Local Educational Agency
MTSA Maritime Transportation Security Act
NAICS North American Industry Classification System
NCF National Critical Function
NCUA National Credit Union Administration
NERC North American Electric Reliability Corporation
NIPP National Infrastructure Protection Plan
NIST National Institute of Standards and Technology
NORS Network Outage Reporting System
NPRM Notice of Proposed Rulemaking
NRC Nuclear Regulatory Commission
NSA National Security Agency
OCC Office of the Comptroller of the Currency
OEM Original Equipment Manufacturer
OMB Office of Management and Budget
OT Operational Technology
OTRB Over-the-Road Bus
POTW Publicly Owned Treatment Works
PPD Presidential Policy Directive
PRA Paperwork Reduction Act
PTPR Public Transportation and Passenger Railroads
RFI Request for Information
RIR Regional Internet Registry
RTR Research and Test Reactor
RSO Root Server Operator
SBA Small Business Administration
SCC Sector Coordinating Council
SEA State Educational Agency
SEC Securities and Exchange Commission
SLTT State, Local, Tribal, or Territorial
SRMA Sector Risk Management Agency
SSP Sector-Specific Plan
TLD Top-Level Domain
TSA Transportation Security Administration
TTP Tactics, Techniques, and Procedures
USCG United States Coast Guard
USDA United States Department of Agriculture
VoIP Voice over Internet Protocol
I. Public Participation
The Cybersecurity and Infrastructure Security Agency (CISA) views
public participation as essential to effective rulemaking and invites
interested persons to participate by submitting data, comments, and
other information on the content and assumptions made in this proposed
rule. Your comments can help shape the outcome of this rulemaking. CISA
is particularly interested in comments on the following:
a. Proposed Definitions. The proposed definition of covered cyber
incident and the other definitions CISA is proposing to include in the
regulation (see proposed Sec. 226.1 and Section IV.A in this
document);
b. Applicability. The proposed description of covered entity, the
scope of entities to whom this regulation applies (see proposed Sec.
226.2 and Section IV.B in this document);
c. Examples of Reportable Covered Cyber Incidents. The examples of
substantial cyber incidents included in this Notice of Proposed
Rulemaking (NPRM) (see Section IV.A.ii.3.e in this document);
d. CIRCIA Reporting Requirements and Procedures. The proposed
reporting requirements and procedures for CIRCIA Reports, specifically
the manner, form, and content of CIRCIA Reports (see proposed
Sec. Sec. 226.6 through 226.12 and Section IV.E.i-iii in this
document), including CISA's proposal to use a single, dynamic, web-
based form as the primary means of submission for all CIRCIA Reports
(see Section IV.E.i.2 in this document);
e. Proposed CIRCIA Report Submission Deadlines. The proposed
deadlines for submitting CIRCIA Reports and CISA's proposed
interpretations of these submission deadline requirements (see proposed
Sec. 226.5 and Section IV.E.iv in this document);
f. Data and Records Preservation Requirements. The proposed data
and records preservation requirements and preservation period (see
proposed Sec. 226.13 and Section IV.F in this document);
g. Enforcement Procedures. The proposed enforcement procedures,
including the procedures related to
[[Page 23646]]
issuance of a Request for Information (RFI) or subpoena and the
proposed subpoena withdrawal and appeals process (see proposed
Sec. Sec. 226.14 through 226.17 and Section IV.G in this document);
h. Treatment of Information and Restrictions on Use. The proposed
rules governing the protections and restrictions on the use of CIRCIA
Reports, information included in such reports, and responses to RFIs
(see proposed Sec. 226.18 and Section IV.H.i in this document); and
i. Procedures for Protecting Privacy and Civil Liberties. The
proposed procedures governing the protection of personal information
contained in CIRCIA Reports and responses to RFIs (see proposed Sec.
226.19 and Section IV.H.ii in this document), which are further
described in the draft Privacy and Civil Liberties Guidance for CIRCIA
(this draft document is available in the docket for this proposed
regulatory action (CISA-2022-0010)).
CISA is including in the docket a draft privacy and civil liberties
guidance document that would apply to CISA's retention, use, and
dissemination of personal information contained in a CIRCIA Report and
guide other Federal departments and agencies with which CISA will share
CIRCIA Reports. CISA encourages interested readers to review this draft
guidance and to submit comments on it. Commenters should clearly
identify which specific comment(s) concern the draft guidance document.
CISA will accept comments no later than the date provided in the
DATES section of this document. Interested parties may submit data,
comments, and other information using any of the methods described in
the ADDRESSES section of this document. To ensure appropriate
consideration of your comment, indicate the specific section of this
proposed rule and, if applicable, the specific comment request number
associated with the topic to which each comment applies; explain a
reason for any suggestion or recommendation; and include data,
information, or authority that supports the recommended course of
action. Comments submitted in a manner other than those described
above, including emails or letters sent to Department of Homeland
Security (DHS) or CISA officials, will not be considered comments on
the proposed rule and may not receive a response from CISA.
Instructions to Submit Comments. If you submit a comment, you must
submit it to the docket associated with CISA Docket Number CISA-2022-
0010. All submissions may be posted, without change, to the Federal
eRulemaking Portal at <a href="http://www.regulations.gov">www.regulations.gov</a> and will include any personal
information that you provide. You may choose to submit your comment
anonymously. Additionally, you may upload or include attachments with
your comments. Do not upload any material in your comments that you
consider confidential or inappropriate for public disclosure. Do not
submit comments that include trade secrets, confidential commercial or
financial information, Protected Critical Infrastructure Information,
Sensitive Security Information, or any other protected information to
the public regulatory docket. Please submit comments containing
protected information separately from other comments by contacting the
individual listed in the FOR FURTHER INFORMATION CONTACT section of
this document for instructions on how to submit comments that include
protected information. CISA will not place comments containing
protected information in the public docket and will handle them in
accordance with applicable safeguards and restrictions on access. CISA
will hold such comments in a separate file to which the public does not
have access and place a note in the public docket documenting receipt.
If CISA receives a request for a copy of any comments submitted
containing protected information, CISA will process such a request
consistent with the Freedom of Information Act (FOIA), 5 U.S.C. 552,
and the Department's FOIA regulation found in part 5 of title 6 of the
Code of Federal Regulations (CFR).
To submit a comment, go to <a href="http://www.regulations.gov">www.regulations.gov</a>, type CISA-2022-0010
in the search box and click ``Search.'' Next, look for this Federal
Register notice of proposed rulemaking in the Search Results column,
and click on it. Then click on the Comment option. If you cannot submit
your comment by using <a href="https://www.regulations.gov">https://www.regulations.gov</a>, call or email the
point of contact in the FOR FURTHER INFORMATION CONTACT section of this
document for alternate instructions.
Viewing material in docket. For access to the docket and to view
documents mentioned in this NPRM as being available in the docket, go
to <a href="https://www.regulations.gov">https://www.regulations.gov</a>, search for the docket number provided
in the previous paragraph, and then select ``Supporting & Related
Material'' in the Document Type column. Public comments will also be
placed in the docket and can be viewed by following instructions on the
Frequently Asked Questions web page <a href="https://www.regulations.gov/faq">https://www.regulations.gov/faq</a>.
The Frequently Asked Questions page also explains how to subscribe for
email alerts that will notify you when comments are posted or if
another Federal Register document is published. CISA will review all
comments received. CISA may choose to withhold information provided in
comments from public viewing or to not post comments that CISA
determines are off-topic or inappropriate.
Public meeting. CISA does not plan to hold additional public
meetings at this time, but may consider doing so if CISA determines
from public comments that a meeting would be helpful. If CISA decides
to hold a public meeting, a notice announcing the date, time, and
location for the meeting will be issued in a separate Federal Register
notice.
II. Executive Summary
A. Purpose and Summary of the Regulatory Action
On March 15, 2022, the Cyber Incident Reporting for Critical
Infrastructure Act of 2022 (CIRCIA) was signed into law. See 6 U.S.C.
681-681g; Public Law 117-103, as amended by Public Law 117-263 (Dec.
23, 2022). CIRCIA requires covered entities to report to CISA within
certain prescribed timeframes any covered cyber incidents, ransom
payments made in response to a ransomware attack, and any substantial
new or different information discovered related to a previously
submitted report. 6 U.S.C. 681b(a)(1)-(3). CIRCIA further requires the
Director of CISA to implement these new reporting requirements through
rulemaking, by issuing an NPRM no later than March 15, 2024, and a
final rule within 18 months of publication of the NPRM. 6 U.S.C.
681b(b). CISA is issuing this NPRM to solicit public comment on
proposed regulations that would codify these reporting requirements.
This NPRM is divided into six sections. Section I--Public
Participation describes the process for members of the public to submit
comments on the proposed regulations and lists specific topics on which
CISA is particularly interested in receiving public comment. Section
II--Executive Summary contains a summary of the proposed regulatory
action and the anticipated costs and benefits of the proposed
regulations. Section III--Background and Purpose contains a summary of
the legal authority for this proposed regulatory action; an overview of
the current regulatory cyber incident reporting landscape; a
description of the purpose of the proposed regulations; a discussion of
efforts CISA has taken to
[[Page 23647]]
harmonize these proposed regulations with other Federal cyber incident
reporting regulations; a discussion of information sharing activities
related to the proposed regulations; and a summary of the comments CISA
received in response to an RFI issued by CISA on approaches to the
proposed regulations and during listening sessions hosted by CISA on
the same topic. Section IV--Discussion of Proposed Rule includes a
detailed discussion of the proposed rule, the justification for CISA's
specific proposals, and the alternatives considered by CISA. Section
V--Statutory and Regulatory Analyses contains the analyses that CISA is
required by statute or Executive Order to perform as part of the
rulemaking process prior to issuance of the final rule, such as the
Initial Regulatory Flexibility Analysis and Unfunded Mandates Reform
Act analysis. Section VI contains the proposed regulatory text.
The proposed rule is comprised of 20 sections, Sec. Sec. 226.1
through 226.20, beginning with a section containing definitions for a
number of key terms used throughout the proposed regulation. Among
other definitions, Sec. 226.1 includes proposed definitions for the
terms used to describe and ultimately scope what types of incidents
must be reported to CISA (i.e., cyber incident, covered cyber incident,
ransom payment, and substantial cyber incident) and the term used to
describe the different types of reports that must be submitted (i.e.,
CIRCIA Reports).
The next section of the proposed rule, Sec. 226.2, describes the
applicability of the proposed rule to certain entities in a critical
infrastructure sector, i.e., those entities that are considered covered
entities and to whom the operative provisions of the rule would apply.
The next section of the proposed rule, Sec. 226.3, describes the
circumstances under which a covered entity must submit a CIRCIA Report
to CISA. This includes when a covered entity experiences a covered
cyber incident, makes a ransom payment, has another entity make a
ransom payment on its behalf, or acquires substantial new or different
information after submitting a previous CIRCIA Report. See Sec. 226.3;
Section IV.C in this document. CISA is proposing three exceptions to
these reporting requirements for covered entities, which are in Sec.
226.4 of the proposed regulation and described in Section IV.D in this
document. These exceptions include when a covered entity reports
substantially similar information in a substantially similar timeframe
to another Federal agency pursuant to an existing law, regulation, or
contract when a CIRCIA Agreement is in place between CISA and the other
Federal agency; when an incident impacts certain covered entities
related to the Domain Name System (DNS); and when Federal agencies are
required by the Federal Information Security Modernization Act of 2014
(FISMA) to report incidents to CISA. See Sec. 226.4 of the proposed
regulation and Section IV.D of this document.
Section 226.5 of the proposed regulation contains the submission
deadlines for the four different types of CIRCIA Reports (i.e., Covered
Cyber Incident Reports; Ransom Payment Reports; Joint Covered Cyber
Incident and Ransom Payment Reports; Supplemental Reports). These
deadlines, including how to calculate them, are discussed further in
Section IV.E.iv in this document. Section 226.6 of the proposed
regulation sets forth the proposed manner and form of reporting, which
CISA proposes to be through a web-based CIRCIA Incident Reporting Form
available on CISA's website or in any other manner and form of
reporting approved by the Director. Additional details on the proposed
manner and form of reporting and related submission procedures are
contained in Sections IV.E.i, ii and v in this document. The
information CISA proposes that covered entities must include in each of
the four types of CIRCIA Reports is enumerated in Sec. Sec. 226.7
through 226.11 and expanded upon in Section IV.E.iii in this document.
A covered entity may use a third party to submit a CIRCIA Report to
CISA on the covered entity's behalf to satisfy the covered entity's
reporting obligations. See 6 U.S.C. 681b(d). The proposed procedures
and requirements for using a third party to submit a CIRCIA Report on
behalf of the covered entity are contained in Sec. 226.12 of the
proposed regulations and discussed in detail in Section IV.E.v.3 in
this document. The proposed regulation also affirms the statutorily
mandated obligation for a third party to advise the covered entity of
its ransom payment reporting obligations under CIRCIA when the third
party knowingly makes a ransom payment on behalf of a covered entity.
See 6 U.S.C. 681b(d)(4), Sec. 226.12(d) of the proposed regulations,
and Section IV.E.v.3.e of the NPRM.
Section 226.13 of the proposed regulation sets forth the proposed
data and records preservation requirements. It includes a recitation of
the types of data and records that a covered entity must preserve; the
required preservation period; the format or form in which the data and
records must be preserved; and the storage, protection, and allowable
uses of the preserved data and records. See Sec. 226.13 and Section
IV.F in this document.
CIRCIA authorizes CISA to use various mechanisms to obtain
information from a covered entity about a covered cyber incident or
ransom payment that was not reported in accordance with CISA's proposed
regulatory reporting requirements. 6 U.S.C. 681d. These mechanisms
include the issuance of an RFI; the issuance of a subpoena; a referral
to the Attorney General to bring a civil action in District Court to
enforce a subpoena; and acquisition, suspension, and debarment
enforcement procedures. The proposed procedures for each of these
enforcement mechanisms are contained in Sec. Sec. 226.14 through
226.17 of the proposed regulation and discussed in Section IV.G.i-vi in
this document.
CIRCIA provides a variety of requirements related to the treatment
and restrictions on the use of CIRCIA Reports, information contained in
such reports, as well as information submitted in response to an RFI.
See 6 U.S.C. 681e(b), 681e(a)(1), (5). CIRCIA also provides liability
protection for the submission of a CIRCIA Report in compliance with the
reporting requirements established in the CIRCIA regulation. 6 U.S.C.
681e(c). To ensure that such requirements related to the treatment and
restrictions on the use of CIRCIA Reports are applied consistently,
CISA proposes to include them in Sec. 226.18, as discussed in Section
IV.H.i in this document. CISA additionally proposes steps to minimize
the collection of unnecessary personal information in CIRCIA Reports
and additional procedures for protecting privacy and civil liberties
related to the submission of CIRCIA Reports and responses to RFIs.
These proposed procedures for protecting privacy and civil liberties
are contained in Sec. 226.19 of the proposed regulation and discussed
further in Section IV.H.ii in this document as well as in the guidance
document posted to the docket for this proposed rule.
The final section of the proposed regulation, Sec. 226.20,
proposes two distinct procedural provisions. The first proposed
provision provides that any person who knowingly and willfully makes a
materially false or fraudulent statement or representation in
connection with, or within, a CIRCIA Report, RFI response, or reply to
an administrative subpoena is subject to penalties under 18 U.S.C.
1001. Sec. 226.20(a). The second proposed provision is a severability
clause, which
[[Page 23648]]
states CISA intends the various provisions of this part to be severable
from each other to the extent practicable, such that if a court of
competent jurisdiction were to vacate or enjoin any one provision, the
other provisions remain in effect unless they are dependent upon the
vacated or enjoined provision. Sec. 226.20(b). These are discussed in
Sections IV.G.vii and IV.I in this document, respectively.
B. Summary of Costs and Benefits
CISA estimates the cost of this proposed rule would be $2.6 billion
over the period of analysis \1\ (undiscounted). CISA estimates that
there will be 316,244 entities potentially affected by the proposed
rule (i.e., covered entities) who collectively will submit an estimated
total of 210,525 CIRCIA Reports over the period of analysis, resulting
in $1.4 billion (undiscounted) in cost to industry and $1.2 billion
(undiscounted) in cost to the Federal Government. The cost over the
period of analysis discounted at 2% would be $2.4 billion ($1.3 billion
for industry, $1.1 billion for government), with an annualized cost of
$244.6 million, as presented in the Preliminary Regulatory Impact
Analysis (RIA) included in the docket. The main industry cost drivers
of this proposed rule are the initial costs associated with becoming
familiar with the proposed rule, followed by the recurring data and
records preservation requirements, and then reporting requirements.
Other industry costs include those associated with help desk calls and
enforcement actions. Government costs include costs CISA anticipates
incurring associated with the creation, implementation, and operation
of the government infrastructure needed to run the CIRCIA program. This
includes both personnel and technology costs necessary to support the
receipt, analysis, and sharing of information from CIRCIA Reports
submitted to CISA.
---------------------------------------------------------------------------
\1\ CISA used an 11-year period of analysis spanning from 2023-
2033 to reflect that CISA began incurring costs related to CIRCIA
implementation in 2023, one year prior to the publication of the
NPRM. See the Executive Summary section of the CIRCIA Regulation
Proposed Rulemaking Preliminary Regulatory Impact Analysis and
Initial Regulatory Flexibility Analysis for additional detail on the
period of analysis.
---------------------------------------------------------------------------
The Preliminary RIA also discusses the qualitative benefits of the
proposed rule. From a qualitative benefits perspective, the proposed
reporting requirements, analytical activities, and information sharing
will lead to Federal and non-Federal stakeholders having the ability to
adopt an enhanced overall level of cybersecurity and resiliency,
resulting in direct, tangible benefits to the nation. For example:
<bullet> By supporting CISA's ability to share information that
will enable non-Federal and Federal partners to detect and counter
sophisticated cyber campaigns earlier with the potential for
significant avoided or minimized negative impacts to critical
infrastructure or national security, CIRCIA's mandatory reporting
requirements reduce the risks associated with those campaigns.
<bullet> By facilitating the identification and sharing of
information on exploited vulnerabilities and measures that can be taken
to address those vulnerabilities, incident reporting enables entities
with unremediated and unmitigated vulnerabilities on their systems to
take steps to remedy or mitigate those vulnerabilities before they also
fall victim to cyberattack.
<bullet> By supporting sharing of information about common threat
actor tactics, techniques, and procedures with the IT community, cyber
incident reporting will enable software developers and vendors to
develop more secure products or send out updates to add security to
existing products, better protecting end users.
<bullet> By enabling rapid identification of ongoing incidents and
increased understanding of successful mitigation measures, incident
reporting increases the ability of impacted entities and the Federal
government to respond to ongoing campaigns faster and mitigate or
minimize the consequences that could result from them.
<bullet> Law enforcement entities can use the information submitted
in reports to investigate, identify, capture, and prosecute
perpetrators of cybercrime, getting malicious cyber actors off the
street and deterring future actors.
<bullet> By contributing to a more accurate and comprehensive
understanding of the cyber threat environment, incident reporting
allows for CISA's Federal and non-Federal stakeholders to more
efficiently and effectively allocate resources to prevent, deter,
defend against, respond to, and mitigate significant cyber incidents.
These benefits, which stem from CISA receiving cyber incident and
ransom payment reporting for aggregation, analysis, and information
sharing, directly contribute to a reduction in economic, health,
safety, and security consequences associated with cyber incidents by
reducing the number of cyber incidents successfully perpetrated and
mitigating the consequences of those cyber incidents that are
successful by catching them earlier. It is worth noting that these
benefits are not limited to covered entities required to report under
CIRCIA, but also inure to entities not subject to CIRCIA's reporting
requirements as they too will receive the downstream benefits of
enhanced information sharing, more secure technology products, and an
ability to better defend their networks based on sector-specific and
cross-sector understandings of the threat landscape.
CISA also anticipates qualitative benefits stemming from the data
and record preservation requirements of this proposed rule. The
preservation of data and records in the aftermath of a covered cyber
incident serves a number of critical purposes, such as supporting the
ability of analysts and investigators to understand how a cyber
incident was perpetrated and by whom.
III. Background and Purpose
A. Legal Authority
On March 15, 2022, the Cyber Incident Reporting for Critical
Infrastructure Act of 2022 (CIRCIA) was signed into law. See 6 U.S.C.
681-681g; Public Law 117-103, as amended by Public Law 117-263 (Dec.
23, 2022). CIRCIA requires covered entities to report to CISA covered
cyber incidents within 72 hours after the covered entity reasonably
believes that the covered cyber incident has occurred and ransom
payments made in response to a ransomware attack within 24 hours after
the ransom payment has been made. 6 U.S.C. 681b(a). Among other
benefits, this new authority will enhance CISA's ability to identify
trends and track cyber threat activity across the cyber threat
landscape beyond the Federal agencies that are already required to
report information on certain cyber incidents to CISA pursuant to the
FISMA, 44 U.S.C. 3554(b)(7)(C)(ii) and 6 U.S.C. 652(c)(3). CIRCIA
requires the Director of CISA to implement these new reporting
requirements through rulemaking, by issuing a Notice of Proposed
Rulemaking no later than March 15, 2024, and a final rule within 18
months of the NPRM's publication. 6 U.S.C. 681b(b).
CIRCIA also authorizes CISA to request information and engage in
administrative enforcement actions to compel a covered entity to
disclose information if it has failed to comply with its reporting
obligations. 6 U.S.C. 681d. CIRCIA establishes information treatment
requirements and restrictions on use, including certain protections
against liability and exemptions from public disclosure, for required
reports and information submitted to CISA. 6 U.S.C. 681e, 681d(b)(2),
681c(c). CIRCIA also provides for Federal interagency
[[Page 23649]]
coordination and sharing of information on cyber incidents, including
ransomware attacks, reported to Federal departments and agencies, and
covered cyber incidents and ransom payments reported to CISA. 6 U.S.C.
681a(a)(10), (b), 681g.
Although CIRCIA requires CISA to implement new reporting
requirements through regulation, CISA's rulemaking authority under
CIRCIA does not supersede, abrogate, modify, or otherwise limit any
authority to regulate or act with respect to the cybersecurity of an
entity vested in any United States Government officer or agency. 6
U.S.C. 681b(h). Therefore, covered entities that are obligated to
report covered cyber incidents or ransom payments pursuant to another
Federal regulatory requirement, directive, or similar mandate will
remain obligated to do so even if the reporting requirements differ
from those established by CIRCIA. Where CIRCIA imposes regulatory
requirements that may overlap or duplicate other Federal regulatory
requirements, CISA is committed to working with other Federal partners
to explore options to minimize unnecessary duplication between CIRCIA's
reporting requirements and other Federal cyber incident reporting
requirements and welcomes public comment regarding options to minimize
unnecessary duplication or identification of specific Federal cyber
incident reporting requirements where such duplication is likely to
occur. Additionally, CIRCIA does not permit or require a provider of a
remote computing service or electronic communication service to the
public to disclose information not otherwise permitted or required to
be disclosed under 18 U.S.C. 2701-2713 (commonly known as the ``Stored
Communications Act''). 6 U.S.C. 681e(e).
CIRCIA also provides that entities may voluntarily report cyber
incidents or ransom payments to CISA that are not required to be
reported under the CIRCIA regulations, and applies the same information
treatment requirements on use (including liability protections) and
restrictions on use to such voluntarily submitted reports. 6 U.S.C.
681c(a), (c); 681e. CISA is not, however, proposing to address entirely
voluntary reporting (e.g., how such reports may be submitted) in this
rulemaking.
B. Current Cyber Incident Reporting Landscape
The cyber incident reporting landscape currently consists of dozens
of Federal and state, local, tribal, or territorial (SLTT) cyber
incident reporting requirements that may apply to entities operating
within the United States, depending on where an entity or its customers
are located and the type of business in which the entity is engaged. At
the Federal level alone, more than three dozen different cyber incident
reporting requirements currently are in effect, with a number of
additional proposed regulatory reporting requirements in various stages
of development. At the SLTT level, the District of Columbia, Puerto
Rico, the Virgin Islands, Guam, and all 50 states have laws that
require reporting and/or public disclosure of at least some cyber
incidents that result in data breaches.
Despite these myriad Federal and SLTT reporting requirements, prior
to the enactment of CIRCIA, there was no Federal statute or regulation
supporting a comprehensive and coordinated approach to understanding
cyber incidents across critical infrastructure sectors. Nor was there a
Federal department or agency charged with coordinating cross-sector
sharing of information related to cyber incidents with Federal and non-
Federal stakeholders. Indeed, during the lead up to the passage of
CIRCIA, Congress stated ``[t]oday no one U.S. Government agency has
visibility into all cyber-attacks occurring against U.S. critical
infrastructure on a daily basis. This bill would change that--enabling
a coordinated, informed U.S. response to the foreign governments and
criminal organizations conducting these attacks against the U.S.'' \2\
The enactment of CIRCIA authorized CISA to fill these key gaps in the
current cyber incident reporting landscape.
---------------------------------------------------------------------------
\2\ U.S. Senate Committee on Homeland Security and Governmental
Affairs (HSGAC), Cyber Incident Reporting for Critical
Infrastructure Act at 1 (Dec. 17, 2021), available at <a href="https://www.hsgac.senate.gov/wp-content/uploads/imo/media/doc/Overview%20of%20Cyber%20Incident%20Reporting%20Legislation.pdf">https://www.hsgac.senate.gov/wp-content/uploads/imo/media/doc/Overview%20of%20Cyber%20Incident%20Reporting%20Legislation.pdf</a>
(hereinafter, ``HSGAC Fact Sheet'').
---------------------------------------------------------------------------
There are a number of different reasons why a government entity may
establish cyber incident reporting requirements. A recent DHS report to
Congress based on the work of the Cyber Incident Reporting Council
(CIRC) \3\ titled Harmonization of Cyber Incident Reporting to the
Federal Government suggests that these reasons generally can be
organized into two primary categories.\4\ The first category consists
of regulations primarily focused on national security, economic
security, public health and safety, and/or the resiliency of National
Critical Functions (NCFs). A majority of Federal reporting regimes
appear to be solely or primarily animated by these concerns. The
remaining Federal cyber incident reporting regimes, as well as
virtually all SLTT cyber incident reporting regimes, are designed
primarily to address privacy, consumer protection, or investor
protection considerations. This second category includes all the
reporting regimes often referred to as data breach notification laws.
---------------------------------------------------------------------------
\3\ CIRCIA established an intergovernmental Cyber Incident
Reporting Council. Chaired by the Secretary of Homeland Security,
the CIRC is responsible for coordinating, deconflicting, and
harmonizing Federal incident reporting requirements, including those
issued through regulations. 6 U.S.C. 681f.
\4\ Department of Homeland Security, Harmonization of Cyber
Incident Reporting to the Federal Government at 5 (Sept. 19, 2023),
available at <a href="https://www.dhs.gov/publication/harmonization-cyber-incident-reporting-federal-government">https://www.dhs.gov/publication/harmonization-cyber-incident-reporting-federal-government</a> (hereinafter, ``the DHS
Report'').
---------------------------------------------------------------------------
Outside of state data breach notification laws, most existing cyber
incident reporting requirements target specific communities with common
characteristics. Some focus on entities within a specific industry or
sector (e.g., commercial nuclear power reactors; financial services
institutions) while others cover entities across sectors that possess
certain shared characteristics (e.g., entities possessing threshold
quantities of certain chemicals of interest that render those entities
high-risk of being targeted by terrorists; entities located upon
navigable bodies of water where they present the risk of a
transportation security incident; entities that maintain personal
health-related records).
Central aspects of cyber incident reporting regimes, such as what
constitutes a reportable incident, the process for reporting an
incident, which entity receives the report, what information must be
reported, and how long an entity has to report the incident, can vary
widely from regime to regime, with the purpose of the regime frequently
impacting these variables. For instance, reporting regimes focused on
national or economic security tend to have shorter deadlines for
reporting than those regimes focused on privacy or consumer
protections. Similarly, reporting regimes focused on national or
economic security almost universally require reporting to a Federal
department or agency, while regimes with a primary purpose of privacy
or consumer protections often require reporting to the impacted
individual and sometimes credit reporting agencies, instead of, or in
addition to, reporting to the governing Federal or SLTT entity.
Given the number and variety of different cyber incident reporting
regimes, and their continued evolution,
[[Page 23650]]
CISA does not intend to describe each one of them as part of this
section. Instead, CISA is providing the following brief summaries of
some of the major regulatory programs that require reporting of cyber
incidents and that are concerned at least in part with national
security, economic security, public safety, and/or the resiliency of
NCFs: \5\
---------------------------------------------------------------------------
\5\ Individuals interested in learning more about existing
Federal cyber incident reporting requirements are encouraged to
review the Federal Cyber Incident Reporting Requirements Inventory
contained in Appendix B of the DHS Report, supra note 4.
---------------------------------------------------------------------------
<bullet> Chemical Facility Anti-Terrorism Standards (CFATS). CISA's
CFATS program worked for the prior 16 years to identify and regulate
high-risk chemical facilities to ensure security measures are in place
to reduce the risk of certain chemicals of interest from being
weaponized by terrorists. See 6 CFR part 27. Under CFATS Risk-Based
Performance Standard 15, CFATS-covered facilities were expected to
establish protocols governing the identification and reporting of
significant cyber incidents to the appropriate facility personnel,
local law enforcement, and/or CISA. On July 28, 2023, the statutory
authority for the CFATS program expired, but CISA anticipates that
CFATS will be reauthorized prior to the publication of the CIRCIA Final
Rule.
<bullet> Defense Federal Acquisition Regulation Supplement (DFARS).
Pursuant to 32 CFR 236.1-236.7 and 48 CFR 252.204-7012, Department of
Defense (DOD) contractors must report to DOD all cyber incidents (1)
involving covered defense information on their covered contractor
information systems or (2) affecting the contractor's ability to
provide operationally critical support. Contractors subject to these
requirements, who are members of the Defense Industrial Base sector,
must report cyber incidents to DOD at <a href="https://dibnet.dod.mil">https://dibnet.dod.mil</a>.
<bullet> Department of Energy (DOE) DOE-417 reporting requirements.
DOE's Office of Cybersecurity, Energy Security, and Emergency Response
requires certain Energy Sector entities to report certain cybersecurity
incidents to DOE pursuant to 15 U.S.C. 772(b). Entities subject to the
reporting requirements include Balancing Authorities, Reliability
Coordinators, some Generating Entities, and Electric Utilities,
including those located in Puerto Rico, the Virgin Islands, Guam, or
other U.S. possessions.
<bullet> Federal Communications Commission's (FCC) Network Outage
Reporting System (NORS) Requirements. Under 47 CFR part 4, providers of
telecommunications services and Voice over internet Protocol (VoIP)
providers are required to report to the FCC communications service
outages, including those caused by cyber incidents, that meet certain
minimum requirements for duration and magnitude. The goal of this
regulation, which applies to wireline, wireless, VoIP, cable,
satellite, Signaling System 7, submarine cable, covered 911 service,
and covered 988 service providers, is to provide rapid, complete, and
accurate information on service disruptions that could affect homeland
security, public health or safety, and the economic well-being of the
Nation and help ensure the public's access to emergency services.
<bullet> Federal Information Security Modernization Act of 2014.
FISMA requires Federal civilian departments and agencies to report
cybersecurity incidents to CISA within one hour of discovery.\6\ CISA
uses information received in FISMA incident reports to, among other
things, provide technical assistance to victims of cyber incidents,
compile and analyze incident information to identify cyber threats and
vulnerabilities, and share guidance with others on how to detect,
handle, and prevent similar incidents.\7\ Federal agencies are also
required to report major incidents under FISMA and pursuant to OMB
Guidance, including those that implicate personal information.\8\
---------------------------------------------------------------------------
\6\ 44 U.S.C. 3554(b)(7)(C)(ii).
\7\ 44 U.S.C. 3556(a).
\8\ 44 U.S.C. 3554(b)(7)(C)(iii).
---------------------------------------------------------------------------
<bullet> Federal Risk and Authorization Management Program
(FedRAMP). FedRAMP requires any cloud service providers (CSPs) with a
Federal agency-issued Authority to Operate (ATO) or a FedRAMP-issued
provisional ATO to report suspected and confirmed information security
incidents to the FedRAMP Program Management Office within the General
Services Administration (GSA), CISA, and the affected agency.\9\
---------------------------------------------------------------------------
\9\ See FedRAMP, GSA, <a href="https://www.gsa.gov/technology/government-it-initiatives/fedramp">https://www.gsa.gov/technology/government-it-initiatives/fedramp</a> (last visited Nov. 27, 2023).
---------------------------------------------------------------------------
<bullet> Financial Services Sector Regulations. Most of the primary
Financial Services Sector regulators have adopted cyber incident
reporting requirements for their regulated communities. Among other
things, these reporting requirements have been established to help
promote early awareness of emerging threats to banking organizations
and the broader financial system, and to help the regulating entities
react to these threats before they can cause systemic impacts across
the financial system. Included among these are cyber incident reporting
requirements managed by the Office of the Comptroller of the Currency
(OCC) (12 CFR part 53), the Federal Reserve Board (FRB) (12 CFR part
225), the Federal Deposit Insurance Corporation (FDIC) (12 CFR part
304), the Commodity Futures Trading Commission (CFTC) (see, e.g., 17
CFR 38.1051 (designated contract markets); 17 CFR 37.1401 (swap
execution facilities); 17 CFR 39.18 (derivatives clearing
organizations); 17 CFR 49.24 (swap data repositories); 17 CFR 23.603
(swap dealers)), the National Credit Union Administration (NCUA) (12
CFR part 748), the Securities and Exchange Commission (SEC) (see, e.g.,
17 CFR parts 229, 232, 239, 240, 242, and 249), and the Federal Housing
Finance Agency (FHFA) (Advisory Bulletin 2020-05).
<bullet> Maritime Transportation Security Act (MTSA). Under MTSA
(33 CFR parts 104, 105, or 106) entities that own vessels or
facilities, including outer continental shelf facilities, subject to
MTSA must report cyber incidents to the U.S. Coast Guard's (USCG)
National Response Center. These cyber incident reporting requirements
are part of a larger suite of security requirements for vessels and
facilities to identify, assess, and prevent transportation security
incidents (TSIs) in the marine transportation system. USCG is also in
the process of updating its maritime security regulations by adding
cybersecurity requirements to existing Maritime Security
regulations.\10\
---------------------------------------------------------------------------
\10\ See Office of Management and Budget, Office of Information
and Regulatory Affairs Unified Agenda, available at <a href="https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=1625-AC77">https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=1625-AC77</a>.
---------------------------------------------------------------------------
<bullet> North American Electric Reliability Corporation (NERC)
Critical Infrastructure Protection (CIP) standard CIP-008-6: Cyber
Security--Incident Reporting and Response Planning. Certain electric
grid entities, designated as ``responsible entities,'' are required to
report cyber incidents to both CISA and the Electricity Information
Sharing and Analysis Center (ISAC), a component of NERC. See 18 CFR
part 40 and CIP-008-6. The goal of these reporting requirements, which
were developed pursuant to the authority granted NERC in Section 215 of
the Federal Power Act (16 U.S.C. Ch 12, as amended through Pub. L. 115-
325) to develop mandatory and enforceable reliability standards subject
to Federal Energy Regulatory Commission (FERC) review and approval, is
to mitigate the risk to the reliable operation of the Bulk Electric
[[Page 23651]]
System (BES) as the result of a cybersecurity incident.
<bullet> Nuclear Regulatory Commission (NRC) Cyber Security Event
Notification Regulation. Owners and operators of commercial nuclear
power reactors are required to report cyber incidents impacting safety,
security, or emergency preparedness functions to the NRC.\11\
---------------------------------------------------------------------------
\11\ 10 CFR 73.77.
---------------------------------------------------------------------------
<bullet> The Food and Drug Administration (FDA) Medical Device
Regulations. Under section 519 of the Federal Food, Drug, and Cosmetic
Act (21 U.S.C. 360i), as implemented by the Medical Device Reporting
Regulations (21 CFR part 803) and the Medical Device Reports of
Corrections and Removals Regulations (21 CFR part 806), manufacturers
and importers must report certain device-related adverse events and
product problems, including those caused by cyber incidents, to the
FDA. For example, medical device manufacturers are required to report
to the FDA when they learn that any of their devices may have caused or
contributed to a death or serious injury. Manufacturers must also
report to the FDA when they become aware that their device has
malfunctioned and would be likely to cause or contribute to a death or
serious injury if the malfunction were to recur. Medical device
manufacturers and importers also must report to FDA any correction or
removal of a medical device initiated to reduce a risk to health posed
by the device or to remedy a violation of the Federal Food, Drug, and
Cosmetic Act, including those caused by cyber incidents, caused by the
device that may present a risk to health. A report must be made even if
the event was caused by user error.
<bullet> Transportation Security Administration (TSA) Security
Directives and Security Program Amendments. TSA has issued several
Security Directives and Security Program Amendments requiring various
Transportation Systems Sector entities to report cybersecurity
incidents to CISA.\12\ These include, among other provisions, reporting
requirements for certain passenger railroad carrier and rail transit
systems, hazardous and natural gas pipeline owners and operators,
freight railroad carriers, airport operators, aircraft operators,
indirect air carriers, and Certified Cargo Screening Facilities. TSA is
also in the process of codifying the requirements for surface
transportation through a rulemaking (TSA's regulations provide for
changes to aircraft operator security programs through an amendment
process).\13\
---------------------------------------------------------------------------
\12\ See, e.g., TSA Security Directive Pipeline-2021-01 series,
Enhancing Pipeline Cybersecurity; TSA Security Directive 1580-21-01
series, Enhancing Rail Cybersecurity, available at <a href="https://www.tsa.gov/sd-and-ea">https://www.tsa.gov/sd-and-ea</a>.
\13\ See Office of Management and Budget, Office of Information
and Regulatory Affairs Unified Agenda, available at <a href="https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=1652-AA74">https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202304&RIN=1652-AA74</a>.
---------------------------------------------------------------------------
C. Purpose of Regulation
While the legislative history and statutory text shed some light on
the goals that Congress hoped to achieve through this regulation,
Congress did not include an explicit statement of purpose in CIRCIA.
CISA believes considering the specific intended purpose behind a cyber
incident reporting regulation during the development of the regulations
is important as the purpose likely impacts key aspects of the
regulation, such as what entities are required to report, what types of
incidents must be reported, how quickly incidents must be reported,
what information must be included in incident reports, and to whom the
reports must be provided.
Many stakeholders echoed this belief in remarks made during CIRCIA
listening sessions or through comments provided in response to the
CIRCIA RFI, which encouraged CISA to articulate the goals of the
regulation to help inform the best regulatory proposal.\14\ This
section of the NPRM is intended to provide insight into what CISA
interprets to be the purposes of the regulation that has informed the
development of CISA's proposed regulation.
---------------------------------------------------------------------------
\14\ See 87 FR 55833 (Sept. 12, 2022); comments submitted by
Information Technology Industry Council, CISA-2022-0010-0097 (``[I]t
is vital that CISA articulate its tactical goals and/or plan for
actualizing CIRCIA, as only upon understanding what CISA hopes to
accomplish with these reports can industry stakeholders provide more
specific commentary on key scoping and reporting threshold
questions.''); National Grain and Feed Association, CISA-2022-0010-
0104 (``CISA should also identify the specific purpose of reporting
an incident. For example, if the data will be used by the government
for trend identification.''); G. Rattray, CISA-2022-0010-0159
(``[CISA] will have to decide whether it is reporting that serves
the purpose of characterizing threats or you're trying to understand
risks and vulnerability. Both are probably viable analytically, but
those would lead to different sort of reporting requirements.'').
---------------------------------------------------------------------------
i. Purposes of the CIRCIA Regulation
CIRCIA's legislative history indicates that the primary purpose of
CIRCIA is to help preserve national security, economic security, and
public health and safety. For example, in December 2021, HSGAC issued a
fact sheet on the proposed legislation acknowledging the ``serious
national security threat'' posed by cyberattacks and stating that
CIRCIA would help enable a coordinated, informed U.S. response to the
foreign governments and criminal organizations conducting these attacks
against the United States.\15\ Similarly, the U.S. House Committee on
Homeland Security (CHS) issued a fact sheet on the proposed legislation
stating that CIRCIA would provide CISA and its Federal partners the
visibility needed to bolster cybersecurity, identify malicious cyber
campaigns in early stages, identify longer-term threat trends, and
ensure actionable cyber threat intelligence is getting to the first
responders and Federal officials who need it.\16\
---------------------------------------------------------------------------
\15\ HSGAC Fact Sheet, supra note 2, at 1.
\16\ CHS, The Cyber Incident Reporting for Critical
Infrastructure Act at 1, 3 (Aug. 2021), available at <a href="https://democrats-homeland.house.gov/download/incident-reporting-bill-draft-fact-sheet">https://democrats-homeland.house.gov/download/incident-reporting-bill-draft-fact-sheet</a> (hereinafter, ``CHS Fact Sheet'').
---------------------------------------------------------------------------
The plain language that Congress used throughout CIRCIA reflects
the purpose discussed in CIRCIA's legislative history. For example,
CIRCIA requires CISA to review covered cyber incidents that are
``likely to result in demonstrable harm to the national security
interests, foreign relations, or economy of the United States or to the
public confidence, civil liberties, or public health and safety of the
people of the United States'' and to ``identify and disseminate ways to
prevent or mitigate similar incidents in the future.'' 6 U.S.C. 681(9);
6 U.S.C. 681a(a)(6). CIRCIA also requires CISA to ``assess potential
impact of cyber incidents on public health and safety,'' and to
consider, when describing covered entities, both ``the consequences
that disruption to or compromise of [a covered entity] could cause to
national security, economic security, or public health and safety'' and
``the extent to which damage, disruption, or unauthorized access to
such an entity . . . will likely enable the disruption of the reliable
operation of critical infrastructure.'' 6 U.S.C. 681a(a)(1); 6 U.S.C.
681b(c)(1)(A), 681b(c)(1)(C).
Both CIRCIA's legislative history and statutory text highlight a
number of more discrete purposes within the broader goals of enhancing
national and economic security, and public health and safety. Some
examples of these purposes include trend and threat analysis (i.e., the
performance of cybersecurity threat and incident trend analysis and
tracking, to include the analysis and identification of adversary
tactics, techniques, and procedures (TTPs)); \17\ vulnerability and
mitigation
[[Page 23652]]
assessment (i.e., the identification of cyber vulnerabilities and the
assessment of countermeasures that might be available to address them);
\18\ the provision of early warnings (i.e., the rapid sharing of
information on cyber threats, vulnerabilities, and countermeasures
through the issuance of cybersecurity alerts or other means); \19\
incident response and mitigation (i.e., rapid identification of
significant cybersecurity incidents and offering of assistance--e.g.,
personnel, services--in incident response, mitigation, or recovery);
\20\ supporting Federal efforts to disrupt threat actors; \21\ and
advancing cyber resiliency (i.e., developing and sharing strategies for
improving overall cybersecurity resilience; facilitating use of cyber
incident data to further cybersecurity research; engagement with
software/equipment manufacturers on vulnerabilities and how to close
them).\22\
---------------------------------------------------------------------------
\17\ See, e.g., id. at 3; Stakeholder Perspectives on the Cyber
Incident Reporting for Critical Infrastructure Act of 2021 Before
the Subcomm. on Cybersecurity, Infrastructure Protection, and
Innovation of the H. Comm. on Homeland Security, 117th Cong. 64
(2021), available at <a href="https://www.congress.gov/event/117th-congress/house-event/114018/text">https://www.congress.gov/event/117th-congress/house-event/114018/text</a> (hereinafter, ``Stakeholder Perspectives
Hearing'') (statement of Rep. Yvette Clarke) (``One of the goals in
drafting this legislation was to provide CISA with enough
information to analyze and understand threats . . . .''); 6 U.S.C.
681a(a)(1) (CISA must aggregate and analyze reports to identify TTPs
adversaries use and to enhance situational awareness of cyber
threats across critical infrastructure sectors).
\18\ See, e.g., Responding to and Learning from the Log4Shell
Vulnerability Before the S. Comm. on Homeland Security and
Governmental Affairs, 117th Cong. 2 (2022) (statement of Sen. Gary
Peters, Chairman, S. Comm. on Homeland Security and Governmental
Affairs), available at <a href="https://www.hsgac.senate.gov/hearings/responding-to-and-learning-from-the-log4shell-vulnerability/">https://www.hsgac.senate.gov/hearings/responding-to-and-learning-from-the-log4shell-vulnerability/</a>
(hereinafter, ``Log4Shell Vulnerability Hearing Peters Statement'')
(``This legislation will help our lead cybersecurity agency better
understand the scope of attacks, including from vulnerabilities like
Log4j. . . .''); 6 U.S.C. 681a(a)(1) (CISA must aggregate and
analyze reports to assess the effectiveness of security controls).
\19\ See, e.g., Log4Shell Vulnerability Hearing Peters
Statement, supra note 18, at 2 (``This legislation will help our
lead cybersecurity agency . . . warn others of the threat, prepare
for potential impacts. . . .''); Minority Staff of S. Comm. on
Homeland Security and Governmental Affairs, 117th Cong., America's
Data Held Hostage: Case Studies in Ransomware Attacks on American
Companies vi (Comm. Print 2022), available at <a href="https://www.hsgac.senate.gov/library/files/americas-data-held-hostage-case-studies-in-ransomware-attacks-on-american-companies/">https://www.hsgac.senate.gov/library/files/americas-data-held-hostage-case-studies-in-ransomware-attacks-on-american-companies/</a> (``This
legislation will enhance the Federal Government's ability to combat
cyberattacks, mount a coordinated defense, hold perpetrators
accountable, and prevent and mitigate future attacks through the
sharing of timely and actionable threat information.''); 6 U.S.C.
681a(a)(3)(B) (CISA must provide entities with timely, actionable,
and anonymized reports of cyber incident campaigns and trends,
including, to the maximum extent practicable, cyber threat
indicators and defensive measures); 6 U.S.C. 681a(a)(5)-(7) (CISA
must identify and disseminate ways to prevent or mitigate cyber
incidents, and must review reports for cyber threat indicators that
can be anonymized and disseminated, with defensive measures, to
stakeholders).
\20\ See, e.g., HSGAC Fact Sheet, supra note 2, at 1 (``This
information will allow CISA to provide additional assistance to
avoid cyber-attacks against our critical infrastructure, like the
attacks on Colonial Pipeline and JBS Foods.''); Log4Shell
Vulnerability Hearing Peters Statement, supra note 18 (``This
legislation will help our lead cybersecurity agency . . . help
affected entities respond and recover.'').
\21\ See, e.g., Press Release, S. Comm. on Homeland Security and
Governmental Affairs, Portman, Peters Introduce Bipartisan
Legislation Requiring Critical Infrastructure Entities to Report
Cyberattacks (Sept. 28, 2021), available at <a href="https://www.hsgac.senate.gov/media/dems/peters-and-portman-introduce-bipartisan-legislation-requiring-critical-infrastructure-entities-to-report-cyber-attacks/">https://www.hsgac.senate.gov/media/dems/peters-and-portman-introduce-bipartisan-legislation-requiring-critical-infrastructure-entities-to-report-cyber-attacks/</a> (``As cyber and ransomware attacks continue
to increase, the federal government must be able to quickly
coordinate a response and hold these bad actors accountable.'');
Letter from Sen. Rob Portman, Ranking Member, S. Comm. on Homeland
Security and Governmental Affairs, to Vanessa Countryman, Secretary,
SEC, Re: RE: SEC Proposed Rule on Cybersecurity Risk Management,
Strategy, Governance, and Incident Disclosure, File No. S7-09-22, 3
(May 9, 2022), available at <a href="https://www.sec.gov/comments/s7-09-22/s70922-20128391-291294.pdf">https://www.sec.gov/comments/s7-09-22/s70922-20128391-291294.pdf</a> (``When considering the legislation,
Congress noted if the FBI is `provided information from reports
under the process outlined in the statute, [it] may, as appropriate,
use information contained in the reports and derived from them' for
a range of investigatory activities. This is consistent with the
statute which states incident reports can be used for `the purpose
[of] preventing, investigating, disrupting, or prosecuting an
offense arising out of a cyber incident' reported under the law.
This allows law enforcement agencies to disrupt and deter hostile
cyber actors. . . .'' (footnotes omitted)).
\22\ See, e.g., 6 U.S.C. 681a(a)(9) (CISA must proactively
identify opportunities to leverage and utilize data on cyber
incidents to enable and strengthen cybersecurity research carried
out by academia and private sector organizations).
---------------------------------------------------------------------------
ii. How the Regulatory Purpose of CIRCIA Influenced the Design of the
Proposed CIRCIA Regulation
Based on CISA's understanding of the purposes of CIRCIA, CISA
identified two fundamental principles that influenced the design of the
proposed CIRCIA regulation in key areas. First, to achieve many of the
desired goals of the proposed regulation--such as conducting analysis
to identify adversary TTPs and providing early warnings to enhance
situational awareness of cyber threats across critical infrastructure
sectors--CISA needs to receive a sufficient quantity of Covered Cyber
Incident Reports and Ransom Payment Reports from across the spectrum of
critical infrastructure. As noted by the Cyberspace Solarium
Commission, the government's cyber incident situational awareness, its
ability to detect coordinated cyber campaigns, and its cyber risk
identification and assessment efforts rely on comprehensive data and,
prior to the passage of CIRCIA, the Federal government lacked a mandate
to systematically collect cyber incident information reliably and at
the scale necessary.\23\ Sufficient data also is central to being able
to differentiate campaigns from isolated incidents and support the
development of more generalizable conclusions.\24\
---------------------------------------------------------------------------
\23\ Cyberspace Solarium Commission, Cyberspace Solarium
Commission Report at 103 (Mar. 2020), available at <a href="https://cybersolarium.org/march-2020-csc-report/march-2020-csc-report/">https://cybersolarium.org/march-2020-csc-report/march-2020-csc-report/</a>
(hereinafter ``Cyberspace Solarium Commission Report''); see also
Sandra Schmitz-Berndt, ``Defining the Reporting Threshold for a
Cybersecurity Incident under the NIS Directive and the NIS 2
Directive,'' Journal of Cybersecurity at 2 (Apr. 5, 2023) (``[L]ow
reporting levels result in a flawed picture of the threat landscape,
which in turn may impact cybersecurity preparedness.''), available
at <a href="https://academic.oup.com/cybersecurity/article/9/1/tyad009/7160387">https://academic.oup.com/cybersecurity/article/9/1/tyad009/7160387</a>.
\24\ See, e.g., CISA, Cost of a Cyber Incident: Systematic
Review and Cross-Validation at 49 (Oct. 26, 2020) (reliance on
limited data sources such as those based on convenience samples
``means that no statistical representativeness can be claimed
[which] limits the ability to support inference for generalizing
results beyond the studied samples.''), available at <a href="https://www.cisa.gov/resources-tools/resources/cost-cyber-incident-systematic-review-and-cross-validation">https://www.cisa.gov/resources-tools/resources/cost-cyber-incident-systematic-review-and-cross-validation</a>.
---------------------------------------------------------------------------
If CISA designs the proposed regulations in a way that overly
limits the quantity and variety of reports it receives from across
critical infrastructure sectors, CISA will lack sufficient information
to support reliable trend analysis, vulnerability identification,
provision of early warnings, and other key purposes of the proposed
regulation as indicated by CIRCIA. This fundamental principle was
particularly important for CISA as it considered different options
related to which entities should be required to report, what types of
cyber incidents should be reported, and the scope and amount of
technical detail necessary in CIRCIA Reports to enable CISA to conduct
threat analysis, track campaigns, and provide early warnings as
required by CIRCIA.
Many stakeholders provided comments in response to the RFI issued
in September 2022 cautioning CISA that collecting too many reports
could result in data overload and hinder CISA's ability to identify
important trends and vulnerabilities. While CISA agrees that there
could be some point at which the number of reports submitted begins to
yield diminishing marginal returns, CISA believes that, due to advances
in technology and strategies for managing large data sets, the
potential challenges associated with receiving large volumes of reports
can be mitigated through technological and procedural strategies.
Additionally, as discussed in Section IV.E.ii in this document, CISA
proposes to design the reporting form in a manner that is easy for a
covered entity or third-party submitter to complete, encourages the
submission of useful information,
[[Page 23653]]
and provides information to CISA in a manner that facilitates analysis
and review. As a result, CISA is less concerned about receiving too
many reports and more concerned about not receiving enough reports to
support the intended regulatory purposes of the CIRCIA regulations. As
noted by Microsoft President Brad Smith during his testimony in front
of the U.S. Senate Select Committee on Intelligence during a hearing on
the ``Hack of U.S. Networks by a Foreign Adversary,'' in the wake of
the supply chain compromise of the SolarWinds Orion product, ``one of
the challenges in this space is the nature of all threat intelligence,
whether it's cyber-based or physically based, is that it's always about
connecting dots. So the more dots you have, the more likely you are to
see a pattern and reach a conclusion. . . . And then they're spread out
across different parts of the public sector as well. So this notion of
aggregating them is key.'' \25\
---------------------------------------------------------------------------
\25\ Testimony of Brad Smith to the U.S. Senate Select Committee
on Intelligence, ``Hearing on Hack of U.S. Networks by a Foreign
Adversary'' (Feb. 23, 2021), available at <a href="https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary">https://www.intelligence.senate.gov/hearings/open-hearing-hearing-hack-us-networks-foreign-adversary</a>.
---------------------------------------------------------------------------
CISA is cognizant of the fact that reporting does not come without
costs, however, so CISA is not seeking simply to capture the maximum
number of reports possible under the statutory language (i.e., by
scoping both the applicability of the rule and covered cyber incidents
as broadly as legally permissible). CISA's goal is to identify and
achieve the proper balance among the number of reports being submitted,
the benefits resulting from their submission, and the costs to both the
reporting entities and the government of the submission, analysis, and
storage of those reports.
The second major principle CISA identified that influenced aspects
of the proposed regulation was the importance of timeliness in both the
receipt of reports and in CISA's ability to analyze and share
information gleaned from those reports. To achieve the very important
early visibility and warning aspects of this regulatory regime and
increase the likelihood that entities across the critical
infrastructure community will be able to address identified
vulnerabilities and secure themselves against the latest adversary TTPs
before falling victim to them, time is of the essence. CISA kept this
second principle in mind as CISA considered options for when a covered
entity's reporting obligations begin under the proposed regulation and
the manner, form, and procedures for reporting.
Similar to the first principle, CISA recognizes that potential
drawbacks to overprioritizing timely reporting exist, such as
potentially impacting a covered entity's ability to conduct preliminary
incident response and mitigation. CISA also recognizes that a covered
entity may not have all the information in the early aftermath of
incident discovery, and that some preliminary determinations made at
the outset of an incident response process may later be determined to
be inaccurate when the entity is afforded time to conduct further
investigation and analysis. Accordingly, CISA has sought to balance the
critical need for timely reporting with the potential challenges
associated with rapid reporting in the aftermath of a covered cyber
incident. For example, CISA recognizes that covered entities may
require some limited time to conduct preliminary analysis before
establishing a reasonable belief that a covered cyber incident has
occurred and thereby triggering the 72-hour timeframe for reporting.
See Section IV.E.iv.1 in this document. Additionally, to the extent
that information that is required to be reported under the regulation
is evolving or unknown within the initial reporting deadline for a
covered cyber incident, CISA is proposing to allow covered entities to
submit new or updated information in a Supplemental Report as
additional information becomes known about the covered cyber incident.
See Section IV.E.iii.4 in this document.
D. Harmonization Efforts
Given the number of existing cyber incident reporting requirements
at the Federal and SLTT levels, CISA recognizes that covered entities
may be subject to multiple, potentially duplicative requirements to
report cyber incidents. In an attempt to minimize the burden on covered
entities potentially subject to both CIRCIA and other Federal cyber
incident reporting requirements, CISA is committed to exploring ways to
harmonize this regulation with other existing Federal reporting
regimes, where practicable and seeks comment from the public on how it
can further achieve this goal. CISA is already engaged in several
efforts in furtherance of harmonization of cyber incident reporting,
including: (1) serving as a member of the CIRC and participating in the
CIRC's efforts to coordinate, deconflict, and harmonize Federal cyber
incident reporting requirements; (2) participating in the Cybersecurity
Forum for Independent and Executive Branch Regulators; (3) performing
extensive outreach with Federal and non-Federal entities to gain a
fulsome understanding of the existing cyber incident reporting
regulatory landscape and gather perspectives on how to harmonize
existing cyber incident reporting requirements; and (4) engaging with
other Federal departments and agencies that implement cyber incident
reporting requirements to determine whether covered entities could
potentially take advantage of the proposed substantially similar
reporting exception to CIRCIA reporting (discussed further in Section
IV.D.i in this document).
CISA actively participated in the CIRC to help identify potential
approaches to harmonizing Federal cyber incident reporting requirements
and to support the identification of recommended practices that could
be considered by CISA and other Federal departments and agencies as
they develop or update their respective cyber incident reporting
regimes. Specifically, CISA participated in various DHS-led working
groups to identify potential recommended practices and areas of
harmonization related to Federal cyber incident reporting requirements,
many of which are reflected in the DHS Report.\26\ CISA considered the
DHS Report and its recommendations as it developed this proposed rule
and attempted to leverage the model definition and reporting form
recommended in the DHS Report to the extent practicable and consistent
with the unique regulatory authority granted to CISA under CIRCIA and
the purpose of the CIRCIA regulation (described in Sections III.A and C
in this document).
---------------------------------------------------------------------------
\26\ DHS Report, supra note 4, at 5.
---------------------------------------------------------------------------
CISA has also been an active participant in the Cybersecurity Forum
for Independent and Executive Branch Regulators. The goal of this
forum, which was initially launched in 2014, is to increase the overall
effectiveness and consistency of Federal regulatory authorities related
to cybersecurity by enhancing communication among regulatory agencies,
sharing best practices, and exploring ways to align, leverage, and
deconflict approaches to cybersecurity regulation.\27\ Current
participants in the Forum include, among others, FCC, CISA, CFTC,
Consumer Product Safety Commission, Department of Health and Human
Services (HHS), DHS, Department of the Treasury, FERC, FHFA, FRB,
Federal Trade Commission, FDA, NRC, OCC, SEC, TSA, USCG, and the Office
of the National Cyber Director.
---------------------------------------------------------------------------
\27\ See Cybersecurity Forum for Independent and Executive
Branch Regulators Charter (2014), available at <a href="https://www.nrc.gov/docs/ML1501/ML15014A296.pdf">https://www.nrc.gov/docs/ML1501/ML15014A296.pdf</a>.
---------------------------------------------------------------------------
[[Page 23654]]
Additionally, CISA has performed, and as required by CIRCIA, plans
on continuing to perform, outreach to both Federal partners and non-
Federal stakeholders to learn about existing and proposed cyber
incident reporting regulations and ways in which CISA may be able to
design and implement the CIRCIA requirements to harmonize with those
reporting requirements to the extent practicable. In addition to the
RFI and listening sessions described in Section III.F in this document,
CISA held a series of consultations with each Sector Risk Management
Agency (SRMA), all Federal departments and agencies that currently
oversee cyber incident reporting requirements, and various other
Federal departments and agencies with equities in cyber incident and
ransom payment reporting. During these engagements, CISA has sought to
learn about existing and proposed Federal regimes that require the
reporting of cyber incidents or ransom payments and discuss areas where
CISA and its Federal counterparts might want to, and be able to,
harmonize their respective reporting requirements. CISA leveraged the
information gained via the RFI, listening sessions, and Federal
consultations in the development of this NPRM, and intends to continue
to engage Federal partners during the development and implementation of
the final rule in an attempt to harmonize reporting requirements and
reduce the burden on potential covered entities, where practicable.
Finally, CISA intends to work with other Federal departments and
agencies to explore opportunities to reduce duplicative reporting of
covered cyber incidents through a proposed substantially similar
reporting exception to CIRCIA. Under this exception, which is
authorized under 6 U.S.C. 681b(a)(5)(B), a covered entity that is
required by law, regulation, or contract to report information to
another Federal entity that is substantially similar to the information
that must be reported under CIRCIA and is required to submit the report
in a substantially similar timeframe to CIRCIA's reporting deadlines,
may be excepted from reporting it again under CIRCIA. Per the statute,
for covered entities to be able to leverage this specific exception,
CISA and the respective Federal entity must enter into an interagency
agreement, referred to as a CIRCIA Agreement, and establish an
information sharing mechanism to share reports. To the extent
practicable, CISA is committed to working in good faith with its
Federal partners to have CIRCIA Agreements finalized before the
effective date of the final rule. Additional details on the
substantially similar reporting exception to CIRCIA are discussed in
Section IV.D.i in this document.
CISA welcomes all comments on all aspects of harmonizing CIRCIA's
regulatory reporting requirements with other cyber incident and ransom
payment reporting requirements, including:
1. Potential approaches to harmonizing CIRCIA's regulatory
reporting requirements with other existing Federal or SLTT laws,
regulations, directives, or similar policies that require reporting of
cyber incidents or ransom payments.
2. How to reduce actual, likely, or potential duplication or
conflict between other Federal or SLTT laws, regulations, directives,
or policies and CIRCIA's reporting requirements.
E. Information Sharing Required by CIRCIA
Sharing information on cyber incidents, ransomware attacks, and the
broader cyber threat landscape is central to CIRCIA. In fact, CIRCIA
imposes several requirements upon CISA and other Federal departments
and agencies related to the sharing of information received through
cyber incident and ransom payment reporting programs, including the
CIRCIA proposed regulations. As Congress imposed these obligations
solely on Federal departments and agencies, they are not included in
the CIRCIA proposed rule; however, information sharing will be an
integral part of the overall CIRCIA implementation, and CISA is
committed to working with its Federal partners to share cyber threat
information across the Federal government and, as appropriate, with
non-Federal stakeholders.
As required by 6 U.S.C. 681a(a)(10) and (b), CISA will make
information received via CIRCIA Reports or in response to an RFI or
subpoena available to appropriate SRMAs and other appropriate Federal
departments and agencies, as determined by the President or a designee
of the President, within 24 hours of receipt. CIRCIA also includes a
reciprocal requirement, where any Federal department or agency that
receives a report of a cyber incident shall provide the report to CISA
within 24 hours of receiving the report. See 6 U.S.C. 681g(a)(1). Upon
receipt of a report from another Federal agency pursuant to this
requirement, CISA must share the report with other Federal agencies as
it would any other report submitted to CISA under CIRCIA. 6 U.S.C.
681a(a)(10), 681a(b), 681g(a)(1). In addition to any otherwise
generally applicable laws (such as the Privacy Act of 1974 \28\ and the
E-Government Act of 2002 \29\), pursuant to 6 U.S.C. 681g(a)(3), CISA
must protect the reports it receives from Federal partners under these
provisions in accordance with any privacy, confidentiality, or
information security requirements imposed upon the originating Federal
department or agency. CIRCIA also requires CISA to ``coordinate and
share information with appropriate Federal departments and agencies to
identify and track ransom payments.'' 6 U.S.C. 681a(a)(2).
---------------------------------------------------------------------------
\28\ See 5 U.S.C. 552a.
\29\ See 44 U.S.C. 3501 note, Public Law 107-347.
---------------------------------------------------------------------------
CIRCIA imposes requirements on CISA related to sharing cyber threat
information with non-Federal stakeholders as well. For example, 6
U.S.C. 681a(a)(7) requires CISA to immediately review Covered Cyber
Incident Reports or voluntary reports submitted to CISA pursuant to 6
U.S.C. 681c to the extent they involve ongoing cyber threats or
security vulnerabilities for cyber threat indicators that can be
anonymized and disseminated, with defensive measures, to appropriate
stakeholders. Similarly, for a covered cyber incident or group of
covered cyber incidents that satisfies the definition of a significant
cyber incident, CISA must conduct a review of the details surrounding
the incident(s) and identify and disseminate ways to prevent or
mitigate similar incidents in the future. 6 U.S.C. 681a(a)(6). CISA
must also ``publish quarterly unclassified, public reports that
describe aggregated, anonymized observations, findings, and
recommendations'' based on Covered Cyber Incident Reports. 6 U.S.C.
681a(a)(8). In addition to limiting sharing of information as may
otherwise be required by laws that are generally applicable to
information received by the Federal government, such as the Trade
Secrets Act,\30\ when sharing with critical infrastructure owners and
operators and the general public any information received via CIRCIA
Reports or responses to RFIs, CISA must anonymize information related
to the victim who reported the incident. See 6 U.S.C. 681e(d).
---------------------------------------------------------------------------
\30\ 18 U.S.C. 1905.
---------------------------------------------------------------------------
F. Summary of Stakeholder Comments
While developing this NPRM, CISA sought feedback from an array of
public and private sector stakeholders in an effort to identify the
most effective potential approach to implementing CIRCIA's reporting
requirements. CISA published an RFI in the Federal
[[Page 23655]]
Register; \31\ held in-person, public listening sessions around the
country; \32\ conducted virtual, sector-specific listening sessions;
\33\ and consulted with SRMAs and other relevant Federal departments
and agencies, all with the goal of receiving meaningful input from
entities that will potentially be impacted by this regulation. CISA has
considered this feedback when developing the proposals set forth in
this NPRM. A summary of the most salient points received in response to
the RFI and during the CIRCIA listening sessions follows. All comments
received in response to the RFI, as well as transcripts from all the
public and sector-specific listening sessions, are available in the
electronic docket for this rulemaking.
---------------------------------------------------------------------------
\31\ The RFI, which was published in the Federal Register on
September 12, 2022, solicited inputs on potential aspects of the
proposed regulation prior to the publication of this NPRM. CISA did
not limit the type of feedback commenters could submit in response
to the RFI, but did specifically request comments on definitions for
and interpretations of the terminology to be used in the proposed
regulation; the form, manner, content, and procedures for submission
of reports required under CIRCIA; information regarding other
incident reporting requirements including the requirement to report
a description of the vulnerabilities exploited; and other policies
and procedures, such as enforcement procedures and information
protection policies, that will be required for implementation of the
regulation. The comment period was open through November 14, 2022,
and CISA received 131 individual comments in response to the RFI. 87
FR 55833.
\32\ Between September 21, 2022, and November 16, 2022, CISA
hosted ten listening sessions in Salt Lake City, Utah; Chicago,
Illinois; Fort Worth, Texas; New York, New York; Philadelphia,
Pennsylvania; Washington, DC; Oakland, California; Boston,
Massachusetts; Seattle, Washington; and Kansas City, Missouri. 87 FR
55830; 87 FR 60409.
\33\ Because CIRCIA defines covered entities with reference to
critical infrastructure sectors, CISA held sector-specific listening
sessions for each of the 16 critical infrastructure sectors
identified in Presidential Policy Directive 21, see <a href="https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors">https://www.cisa.gov/topics/critical-infrastructure-security-and-resilience/critical-infrastructure-sectors</a>, as well as a separate session for
the Aviation Subsector. Transcripts from these sessions can be
viewed in the docket for this rulemaking by going to
<a href="http://www.regulations.gov">www.regulations.gov</a> and searching for CISA-2022-0010.
---------------------------------------------------------------------------
i. General Comments
In general, several commenters told CISA that the regulations
should be easy to comply with, such that individuals who are not
cybersecurity professionals can complete the required reporting, and
avoid overly burdensome requirements.\34\ Commenters recommended that
compliance with the regulation be incentive-based and supportive,
rather than punitive,\35\ and commenters also expressed concerns about
the confidentiality of reported information.\36\ Commenters also urged
CISA to consider the landscape of existing cyber incident reporting
requirements and expressed general concern about the potential negative
impacts of unharmonized, complex, and duplicative reporting
regimes.\37\
---------------------------------------------------------------------------
\34\ See, e.g., Comments submitted by the Confidentiality
Coalition, CISA-2022-0010-0030; Credit Union National Association,
CISA-2022-0010-0050; SAP, CISA-2022-0010-0114; Federation of
American Hospitals, CISA-2022-0010-0063; Epic, CISA-2022-0010-0090.
\35\ See, e.g., Comments submitted by the Arizona Cyber Threat
Response Alliance and Arizona Technical Council, CISA-2022-0010-
0022; SolarWinds, CISA-2022-0010-0027.
\36\ See, e.g., Comments submitted by Google Cloud, CISA-2022-
0010-0109; Tenable, CISA-2022-0010-0032; NCTA--The Internet &
Television Association, CISA-2022-0010-0102.
\37\ See, e.g., Comments submitted by CTIA, CISA-2022-0010-0070;
R Street Institute, CISA-2022-0010-0125; IBM, CISA-2022-0010-0069;
Cybersecurity Coalition, CISA-2022-0010-0105.
---------------------------------------------------------------------------
ii. Comments on the Definition of Covered Entity
Several commenters provided suggestions on how to define the term
covered entity under this regulation. While some commenters thought the
definition of covered entity was straightforward and already
understood,\38\ others pointed to different criteria or frameworks CISA
could use to scope the definition more effectively. These included,
among others, a size-based threshold,\39\ a risk-based approach,\40\ or
a focus on the degree to which an entity supported a NCF.\41\
Commenters also suggested leveraging existing lists, standards, or
definitions, such as the list of critical infrastructure ``where a
cybersecurity incident could reasonably result in catastrophic regional
or national effects on public health or safety, economic security, or
national security,'' as determined pursuant to Section 9(a) of
Executive Order 13636; \42\ the NERC CIP standard; \43\ the National
Institute of Standards and Technology's (NIST's) definition; \44\ or
definitions used by other countries.\45\ Others suggested considering
the unique qualities of particular industries and sectors and either
creating sector-based definitions or excluding certain sectors and
industries from the definition altogether.\46\
---------------------------------------------------------------------------
\38\ See, e.g., Comment submitted by the Arizona Cyber Threat
Response Alliance and Arizona Technical Council, CISA-2022-0010-
0022.
\39\ See, e.g., Comments submitted by the Computing Technology
Industry Association, CISA-2022-0010-0122; BlackBerry Corporation,
CISA-2022-0010-0036; Cyber Threat Alliance, CISA-2022-0010-0019;
SolarWinds, CISA-2022-0010-0027.
\40\ See, e.g., Comments submitted by the Information Technology
Industry Council, CISA-2022-0010-0097; U.S. Chamber of Commerce,
CISA-2022-0010-0075; American Property Casualty Insurance
Association, CISA-2022-0010-0064.
\41\ See, e.g., Comment submitted by Mitchell Berger, CISA-2022-
0010-0004.
\42\ See, e.g., Comments submitted by the UnityPoint Health,
CISA-2022-0010-0107; National Retail Federation, CISA-2022-0010-
0092; National Rural Electric Cooperative Association, CISA-2022-
0010-0025.
\43\ See, e.g., Comment submitted by the Powder River Energy
Corporation, CISA-2022-0010-0099.
\44\ See, e.g., Comment submitted by the Credit Union National
Association, CISA-2022-0010-0050.
\45\ See, e.g., Comment submitted by SAP, CISA-2022-0010-0114.
\46\ See, e.g., Comments submitted by the Rural Wireless
Association, Inc., CISA-2022-0010-0093 (recommending excluding small
telecommunications carriers); TechNet, CISA-2022-0010-0072
(discussing the ``innovation economy''); American Property Casualty
Insurance Association, CISA-2022-0010-0064 (recommending exclusion
of insurance agencies); NAFCU, CISA-2022-0010-0076 (recommending
exclusion of the credit union industry).
---------------------------------------------------------------------------
iii. Comments on the Definition of Covered Cyber Incident and
Substantial Cyber Incident
Many commenters provided thoughts on how to define covered cyber
incident and substantial cyber incident, including some who offered
their own definitions for CISA to consider.\47\ Multiple commenters
indicated a desire for a high threshold for reporting to minimize
burdens on regulated entities, avoid duplicative reporting, and prevent
CISA from being inundated with reports,\48\ although at least one
commenter noted that a narrow definition could leave CISA with an
incomplete understanding of the threat landscape.\49\ In recommending
high thresholds, commenters suggested that CISA could bound the
definition of covered cyber incident in a variety of ways, such as by
limiting reporting to ``confirmed incidents''; \50\ incidents that
cause ``actual harm''; \51\ only incidents that impact business
operations; \52\ only
[[Page 23656]]
incidents that impact an entity's critical infrastructure functions;
\53\ incidents that directly impact U.S. companies, citizens, economies
or national security; \54\ and/or those resulting only from malicious
intent.\55\ Several commenters also advocated for considering
definitions that already exist, such as the definition created by NIST
that is used in FISMA,\56\ or definitions that are already used among
the 16 critical infrastructure sectors.\57\
---------------------------------------------------------------------------
\47\ See, e.g., Comments submitted by the Cybersecurity
Coalition, CISA-2022-0010-0105; Microsoft Corporation, CISA-2022-
0010-0058.
\48\ See, e.g., Comments submitted by The Associations: BPI,
ABA, IIB, SIFMA, CISA-2022-0010-0046; American Council of Life
Insurers, CISA-2022-0010-0095; UnityPoint Health, CISA-2022-0010-
0107; Cloudflare, Inc., CISA-2022-0010-0074; American Property
Casualty Insurance Association, CISA-2022-0010-0064; Jim Wollbrinck,
CISA-2022-0010-0151.
\49\ See, e.g., Comment submitted by NERC, CISA-2022-0010-0049.
\50\ See, e.g., Comments submitted by Mandiant, CISA-2022-0010-
0120; Edison Electric Institute, CISA-2022-0010-0079; Connected
Health Initiative, CISA-2022-0010-0130; ACT [bond] The App
Association, CISA-2022-0010-0129.
\51\ See, e.g., Comments submitted by the internet
Infrastructure Coalition, CISA-2022-0010-0055; Independent Community
Bankers of America, CISA-2022-0010-0080; Institute of International
Finance, CISA-2022-0010-0060.
\52\ See, e.g., Comments submitted by IBM, CISA-2022-0010-0069;
Edison Electric Institute, CISA-2022-0010-0079; Fidelity National
Information Services, CISA-2022-0010-0033; National Technology
Security Coalition, CISA-2022-0010-0061.
\53\ See, e.g., Comments submitted by IBM, CISA-2022-0010-0069;
CrowdStrike, CISA-2022-0010-0128; Microsoft Corporation, CISA-2022-
0010-0058; Professional Services Council, CISA-2022-0010-0044;
Alliance for Automotive Innovation (Auto Innovators), CISA-2022-
0010-0082; Telecommunications Industry Association, CISA-2022-0010-
0132.
\54\ See, e.g., Comments submitted by Airlines for America,
CISA-2022-0010-0066; U.S. Chamber of Commerce, CISA-2022-0010-0075;
Express Association of America, CISA-2022-0010-0038; The
Associations: AFPM, AGA, API, APGA, INGAA, LEPA, CISA-2022-0010-
0057.
\55\ See, e.g., Comments submitted by Cloudflare, Inc., CISA-
2022-0010-0074; The Associations: BPI, ABA, IIB, SIFMA, CISA-2022-
0010-0046; internet Infrastructure Coalition, CISA-2022-0010-0055.
\56\ See, e.g., Comments submitted by the National Technology
Security Coalition, CISA-2022-0010-0061; The Associations: BPI, ABA,
IIB, SIFMA, CISA-2022-0010-0046; Mandiant, CISA-2022-0010-0120;
Glenn Herdrich, CISA-2022-0010-0158.
\57\ See, e.g., Comments submitted by NCTA--The Internet &
Television Association, CISA-2022-0010-0102 (generally advocating
for a sector-based approach to the definition); Financial Services
Sector Coordinating Council, CISA-2022-0010-0094; The Associations:
BPI, ABA, IIB, SIFMA, CISA-2022-0010-0046; The Clearing House, CISA-
2022-0010-0086 (advocating for alignment with the FDIC's Computer-
Security Incident Notification Rule); HIMSS Electronic Health Record
Association, CISA-2022-0010-0040 (advocating for alignment with the
Health Insurance Portability and Accountability Act requirements);
Nuclear Energy Institute, CISA-2022-0010-0029; Rich Mogavero, CISA-
2022-0010-0139 (advocating alignment with the definition used by the
NRC); Electric Power Supply Association, CISA-2022-0010-0045; Edison
Electric Institute, CISA-2022-0010-0079 (advocating for alignment
with the reporting standards used by the NERC); NTCA--The Rural
Broadband Association, CISA-2022-0010-0100 (recommending
consideration of the FCC's reporting requirements in developing the
definition).
---------------------------------------------------------------------------
Comments received on the potential definition of substantial cyber
incident echoed those received on the potential definition of covered
cyber incident, though a few commenters noted that the term substantial
cyber incident does not have existing legal definitions as does covered
cyber incident.\58\ One commenter noted that CISA should clarify
whether ``substantial cyber incidents'' are separate from ``covered
cyber incidents,'' \59\ and another commenter recommended covered cyber
incidents and substantial cyber incidents should be synonymous
terms.\60\
---------------------------------------------------------------------------
\58\ See, e.g., Comments submitted by the Association of
Metropolitan Water Agencies, CISA-2022-0010-0088; U.S. Chamber of
Commerce, CISA-2022-0010-0075; Fidelity National Information
Services, CISA-2022-0010-0033.
\59\ See, e.g., Comment submitted by the Professional Services
Council, CISA-2022-0010-0044.
\60\ See, e.g., Comment submitted by Gideon Rasmussen, CISA-
2022-0010-0011.
---------------------------------------------------------------------------
iv. Comments on Other Definitions
CISA received a small number of comments on other definitions. A
few commenters provided feedback on the meaning of the terms ransom
payment and ransomware attack, with several noting that the definitions
of ransom payment and ransomware attack were understood as defined in
CIRCIA and recommending no changes to these terms in the
regulation.\61\
---------------------------------------------------------------------------
\61\ See, e.g., Comments submitted by (ISC)2, CISA-2022-0010-
0112; Exelon Corp., CISA-2022-0010-0043; SAP, CISA-2022-0010-0114.
---------------------------------------------------------------------------
A few commenters offered input on the meaning of supply chain
compromise, with those who did often acknowledging the statutory
definition of the term (see 6 U.S.C. 650(28)),\62\ and recommending
that CISA align this term as closely as possible with similar, existing
terms, such as ``supply chain attack'' used by NIST or the definition
of ``supply chain compromise'' used by MITRE.\63\ Several commenters
emphasized a need for clarity regarding when a customer or end user
would be expected to report on an incident caused somewhere above them
in the supply chain, noting that in many cases the impacted covered
entity may have limited visibility into what happened along the supply
chain to cause the incident.\64\
---------------------------------------------------------------------------
\62\ See, e.g., Comment submitted by the Cybersecurity
Coalition, CISA-2022-0010-0105.
\63\ See id.; see, e.g., Comment submitted by the Information
Technology Industry Council, CISA-2022-0010-0097.
\64\ See, e.g., Comments submitted by the American Water Works
Association, CISA-2022-0010-0127; Edison Electric Institute, CISA-
2022-0010-0079; NCTA--The Internet & Television Association, CISA-
2022-0010-0102; Exelon Corp., CISA-2022-0010-0043.
---------------------------------------------------------------------------
v. Comments on Criteria for Determining Whether the Domain Name System
Exception Applies
The few comments received relating to whether an entity is a multi-
stakeholder organization that develops, implements, and enforces
policies concerning the DNS reflected different views. One commenter
recommended that CISA clarify that domain name registries and
registrars are ``governed by a multistakeholder organization.'' \65\
Another commenter opined that it would not be appropriate to exempt
domain name registrars. The same commenter recommended that CISA
identify exempted organizations by name in the final rule, listing
Internet Corporation for Assigned Names and Numbers (ICANN) and the
Regional Internet Registries for consideration.\66\
---------------------------------------------------------------------------
\65\ Comment submitted by the Internet Infrastructure Coalition,
CISA-2022-0010-0055.
\66\ See Comment submitted by the Energy Transfer LP, CISA-2022-
0010-0037. Regional Internet Registries include ARIN, LACNIC, RIPE
NCC, AFRINIC, and APNIC (see Regional Internet Registries [bond] The
Number Resource Organization (<a href="http://nro.net">nro.net</a>)).
---------------------------------------------------------------------------
vi. Comments on Manner and Form of Reporting, Content of Reports, and
Reporting Procedures
Numerous commenters provided recommendations on the manner and form
of reporting, with many of those concurring with the use of a web-based
form for reporting or other means of electronic reporting.\67\ Some
explicitly recommended that CISA make a mobile application or otherwise
make the form available via a mobile device as well.\68\ Several
commenters recommended alternative or additional methods of reporting
to include phone or email.\69\ Multiple commenters emphasized that
reporting should not require the download or purchase of new
technology.\70\ A number of commenters recommended that the same portal
be used for Supplemental Reports as for the original reports.\71\
---------------------------------------------------------------------------
\67\ See, e.g., Comments submitted by American Council of Life
Insurers, CISA-2022-0010-0095; HIMSS Electronic Health Record
Association, CISA-2022-0010-0040; Epic, CISA-2022-0010-0090; Cyber
Threat Alliance, CISA-2022-0010-0019; League of Southeastern Credit
Unions, CISA-2022-0010-0121; Marty Reynolds, CISA-2022-0010-0135;
Patrick Thornton, CISA-2022-0010-0144.
\68\ See, e.g., Comments submitted by the Cyber Threat Alliance,
CISA-2022-0010-0019; Workgroup for Electronic Data Interchange,
CISA-2022-0010-0041; OCHIN, CISA-2022-0010-0039; Cybersecurity
Coalition, CISA-2022-0010-0105.
\69\ See, e.g., Comments submitted by CHIME, CISA-2022-0010-
0035; Business Roundtable, CISA-2022-0010-0115; CTIA, CISA-2022-
0010-0070; The Clearing House, CISA-2022-0010-0086.
\70\ See, e.g., Comments submitted by the Operational Technology
Cybersecurity Coalition, CISA-2022-0010-0108; NTCA--The Rural
Broadband Association, CISA-2022-0010-0100; Tenable, CISA-2022-0010-
0032.
\71\ See, e.g., Comments submitted by the Cybersecurity
Coalition, CISA-2022-0010-0105; Information Technology Industry
Council, CISA-2022-0010-0097; Credit Union National Association,
CISA-2022-0010-0050.
---------------------------------------------------------------------------
Overall, commenters emphasized the need for a user-friendly
reporting form. While several commenters recommended that the reporting
form be
[[Page 23657]]
standardized for all covered entities,\72\ at least one commenter noted
that a uniform reporting format could unintentionally limit the type of
information CISA receives.\73\ Many commenters recommended that any
reporting form include drop-down menus, check-boxes, or other fields
that could be pre-populated for ease of submission.\74\ Other
commenters recommended that the incident reporting form generate
questions pertinent to the type of incident being reported, including
an indication of which fields were required for each type of
report.\75\ Several commenters also recommended that CISA assign
reference numbers to each report, which would allow entities to more
easily locate and return to a specific CIRCIA Incident Reporting Form
at a later point.\76\ Commenters also recommended existing reporting or
submission procedures that CISA could emulate. Some commenters
recommended CISA rely on a standardized approach, noting examples such
as the National Information Exchange Model \77\ or Structured Threat
Information eXpression (STIX) and Trusted Automated Exchange of
Intelligence Information (TAXII).\78\ Other commenters recommended CISA
align its reporting approach to that of other Federal departments and
agencies such as USCG,\79\ TSA,\80\ or DOD.\81\
---------------------------------------------------------------------------
\72\ See, e.g., Comments submitted by the Alliance for
Automotive Innovation, CISA-2022-0010-0082; Lucid Motors, CISA-2022-
0010-0078; USTelecom--The Broadband Association, CISA-2022-0010-
0067; Palo Alto Networks, CISA-2022-0010-0089.
\73\ See, e.g., Comment submitted by the Association of American
Railroads, CISA-2022-0010-0117.
\74\ See, e.g., Comments submitted by the Workgroup for
Electronic Data Interchange, CISA-2022-0010-0041; CTIA, CISA-2022-
0010-0070; Anonymous, CISA-2022-0010-0012; National Grain and Feed
Association, CISA-2022-0010-0104; Mitchell Berger, CISA-2022-0010-
0004; League of Southeastern Credit Unions, CISA-2022-0010-0121;
NERC, CISA-2022-0010-0049.
\75\ See, e.g., Comments submitted by the Municipal Information
Systems Association of California, CISA-2022-0010-0118; City of
Roseville, CISA-2022-0010-0111; City of Cerritos, CISA-2022-0010-
0084; Cyber Threat Alliance, CISA-2022-0010-0019; (ISC)2, CISA-2022-
0010-0112.
\76\ See, e.g., Comments submitted by the Arizona Cyber Threat
Response Alliance and Arizona Technical Council, CISA-2022-0010-
0022; Workgroup for Electronic Data Interchange, CISA-2022-0010-
0041.
\77\ See, e.g., Comments submitted by the Cyber Threat Alliance,
CISA-2022-0010-0019; SolarWinds, CISA-2022-0010-0027; MITRE, CISA-
2022-0010-0073.
\78\ See, e.g., Comments submitted by ACT [bond] The App
Association, CISA-2022-0010-0129; Connected Health Initiative, CISA-
2022-0010-0130; Cyber Threat Alliance, CISA-2022-0010-0019; HIMSS,
CISA-2022-0010-0119.
\79\ See, e.g., Comment submitted by the American Association of
Port Authorities, CISA-2022-0010-0126.
\80\ See, e.g., Comment submitted by Energy Transfer LP, CISA-
2022-0010-0037.
\81\ See, e.g., Comment submitted by Trustwave Government
Solutions, CISA-2022-0010-0096.
---------------------------------------------------------------------------
When proposing suggestions for the content of CIRCIA reports, many
commenters recommended that CISA require minimal detail at the 72-hour
reporting deadline to not divert resources from response efforts,\82\
emphasizing that covered entities should be required to report only
what is absolutely needed.\83\ Several commenters recommended a core
set of questions be asked for every covered entity,\84\ while others
suggested the question set could be sector-specific.\85\ Many
commenters offered their thoughts on specific pieces of data that CISA
should consider collecting via the CIRCIA reporting form, many, if not
most, of which covered entities are statutorily required to include in
either Covered Cyber Incident Reports or Ransom Payment Reports.\86\
Some non-statutorily required fields that commenters suggested
included: identification of critical infrastructure sector, anyone else
that the entity informed, severity of the event, and victim IP
addresses.\87\
---------------------------------------------------------------------------
\82\ See, e.g., Comments submitted by BSA [bond] The Software
Alliance, CISA-2022-0010-0106; SAP, CISA-2022-0010-0114; Arizona
Cyber Threat Response Alliance and Arizona Technical Council, CISA-
2022-0010-0022; American Chemistry Council, CISA-2022-0010-0098;
U.S. Chamber of Commerce, CISA-2022-0010-0075.
\83\ See, e.g., Comments submitted by CHIME, CISA-2022-0010-
0035; Google Cloud, CISA-2022-0010-0109; The Clearing House, CISA-
2022-0010-0086; Information Technology-ISAC, CISA-2022-0010-0048.
\84\ See, e.g., Comments submitted by the Institute of
International Finance, CISA-2022-0010-0060; National Association of
Chemical Distributors, CISA-2022-0010-0056; UnityPoint Health, CISA-
2022-0010-0107; Powder River Energy Corporation, CISA-2022-0010-
0099.
\85\ See, e.g., Comments submitted by HIMSS, CISA-2022-0010-
0109; CHIME, CISA-2022-0010-0035; CTIA, CISA-2022-0010-0070.
\86\ See, e.g., Comments submitted by the U.S. Chamber of
Commerce, CISA-2022-0010-0075 (recommending that CISA focus on the
ten elements listed in CISA's Sharing Cyber Event Information:
Observe, Act, Report document, namely: incident date and time,
incident location, type of observed activity; detailed narrative of
the event; number of people or systems affected; company/
organization name; point of contact details; severity of event;
critical infrastructure sector; and anyone else the entity
informed.); Cyber Threat Alliance, CISA-2022-0010-0019 (recommending
that the form include three ``layers,'' containing fields applicable
to all incidents (victim information, incident type, incident
information, and threat actor information), incident specific fields
(with different fields each for business email compromise,
ransomware or other extortion, data theft, financial theft such as
banking trojans, service theft, denial of service, disruptive or
destructive attack, data manipulation or integrity loss, branding/
reputation attack, or unauthorized access), and an optional layer
for the provision of technical information (such as victim IP
addresses, threat actor groups, MITRE ATT&CK mapping, exploited
vulnerabilities)); Municipal Information Systems Association of
California, CISA-2022-0010-0118 (recommending that the form include
impacted ``[a]gency,'' date of incident, date incident discovered,
indicators of compromise, type of data compromised (if applicable),
other compliance agencies mandated to receive this report, a
description of the incident, steps taken so far, and logs); City of
Roseville, CISA-2022-0010-0111 (same); City of Cerritos, CISA-2022-
0010-0084 (same); Palo Alto Networks, CISA-2022-0010-0089
(recommending that the template reporting form include the attack
vector or vectors that led to the compromise; tactics or techniques
used by threat actor; indicators of compromise; information on the
affected systems, devices, or networks; information relevant to the
identification of the threat actor or actors involved; a point of
contact from the affected entity; and impact, earliest known time,
and duration of compromise); Mitchell Berger, CISA-2022-0010-0004
(suggesting that CISA include a list of the 16 critical
infrastructure sectors, 55 national critical functions, or similar
items with boxes to check).
\87\ See id.
---------------------------------------------------------------------------
vii. Comments on the Deadlines for Submission of CIRCIA Reports
Although the 72-hour reporting deadline for the reporting of a
covered cyber incident is codified in the text of CIRCIA itself,
several commenters offered thoughts on how to interpret this
requirement. Many commenters suggested that CISA provide flexibility in
initiating the 72-hour clock due to the challenges entities face in
identifying a ``reasonable belief'' and responding to covered cyber
incidents.\88\ Similarly, commenters urged that CISA adopt certain
flexibilities in considering the deadline to have been met, such as
allowing entities to omit fields on a form when information is not yet
known \89\ or provide extensions to the 72-hour deadline when covered
entities are experiencing an external event, such as a natural disaster
or pandemic.\90\ A few commenters noted that it may not be objective or
clear in the moment when a covered entity has a ``reasonable belief,''
and recommended that CISA consider determining whether a reasonable
belief exists on a case-by-case basis.\91\ Many commenters stated that
``reasonable belief'' should be defined as a confirmed or validated
[[Page 23658]]
cyber incident from the perspective of the covered entity and that the
72-hour clock should therefore begin at that time.\92\
---------------------------------------------------------------------------
\88\ See, e.g., Comments submitted by Cybersecurity Coalition,
CISA-2022-0010-0105; TechNet, CISA-2022-0010-0072; Federation of
American Hospitals, CISA-2022-0010-0063; National Association of
Manufacturers, CISA-2022-0010-0087; American Council of Life
Insurers, CISA-2022-0010-0095.
\89\ See, e.g., Comment submitted by Google Cloud, CISA-2022-
0010-0109.
\90\ See, e.g., Comment submitted by HIMSS, CISA-2022-0010-0119.
\91\ See, e.g., Comments submitted by NCTA--The Internet &
Television Association, CISA-2022-0010-0102; SAP, CISA-2022-0010-
0114; CTIA, CISA-2022-0010-0070.
\92\ See, e.g., Comments submitted by National Electrical
Manufacturers Association, CISA-2022-0010-0026; League of
Southeastern Credit Unions, CISA-2022-0010-0121; The Associations:
AFPM, AGA, API, APGA, INGAA, LEPA, CISA-2022-0010-0057; Trustwave
Government Solutions, CISA-2022-0010-0096; Microsoft Corporation,
CISA-2022-0010-0058.
---------------------------------------------------------------------------
Similarly, several commenters recommended specific interpretations
for the point at which the 24-hour clock deadline for submission of a
Ransom Payment Report should begin. For instance, commenters
recommended that the 24-hour clock should begin after the ransom
payment is sent,\93\ when ``funds or items of value are transmitted to
the extorting party,'' \94\ or as soon as ``any part'' of the ransom
payment is no longer in possession of the impacted entity or any of its
affiliated third parties.\95\
---------------------------------------------------------------------------
\93\ See, e.g., Comments submitted by Exelon Corp., CISA-2022-
0010-0043; Cybersecurity Coalition, CISA-2022-0010-0105; Credit
Union National Association, CISA-2022-0010-0050; National
Association of Chemical Distributors, CISA-2022-0010-0056.
\94\ See, e.g., Comment submitted by the Cybersecurity
Coalition, CISA-2022-0010-0105.
\95\ See, e.g., Comment submitted by Sophos, Inc, CISA-2022-
0010-0047.
---------------------------------------------------------------------------
In regards to Supplemental Reports, while some commenters
recommended flexibility, including no deadline for timing of submission
of Supplemental Reports,\96\ others recommended CISA provide a separate
deadline for the submission of Supplemental Reports.\97\ Recommended
deadlines varied from as short as 12 hours after discovering
substantially new or different information \98\ to as long as one year
after the incident.\99\ On the question of what should constitute
substantially new or different information that would necessitate
filing a Supplemental Report, many commenters recommended that covered
entities be permitted to decide when new findings necessitate a
Supplemental Report.\100\ Other commenters suggested the types of
material changes that could be considered substantial new or different
information, such as changes to the types of data stolen or altered;
changes to the number or type of systems impacted; or updates to
information regarding the TTPs used in the incident.\101\
---------------------------------------------------------------------------
\96\ See, e.g., Comments submitted by the Airlines for America,
CISA-2022-0010-0066; SAP, CISA-2022-0010-0114.
\97\ See, e.g., Comments submitted by SolarWinds, CISA-2022-
0010-0027; Workgroup for Electronic Data Interchange, CISA-2022-
0010-0041; Telecommunications Industry Association, CISA-2022-0010-
0132.
\98\ See, e.g., Comment submitted by Sophos, Inc, CISA-2022-
0010-0047.
\99\ See, e.g., Comment submitted by the Workgroup for
Electronic Data Interchange, CISA-2022-0010-0041.
\100\ See, e.g., Comments submitted by USTelecom--The Broadband
Association, CISA-2022-0010-0067; Institute of International
Finance, CISA-2022-0010-0060; Exelon Corp., CISA-2022-0010-0043.
\101\ See, e.g., Comments submitted by the Institute of
International Finance, CISA-2022-0010-0060; League of Southeastern
Credit Unions, CISA-2022-0010-0121; Payments Leadership Council,
CISA-2022-0010-0031.
---------------------------------------------------------------------------
viii. Comments on Third-Party Submitters
Of the commenters who offered feedback on the third-party
submissions of CIRCIA Reports, most seemed to support the framework
already contemplated by statute. For instance, one commenter stated
that organizations should be able to identify a third party to submit
on their behalf,\102\ and more than one stated that the reporting
mechanisms, guidelines, and procedures should be the same for the
third-party submitter as for the covered entity.\103\ Many commenters
recommend that CISA clarify that the duty to comply with the regulation
falls on the covered entity,\104\ and that third-party submitters have
no obligation to report on the covered entity's behalf.\105\
---------------------------------------------------------------------------
\102\ See, e.g., Comment submitted by American Chemistry
Council, CISA-2022-0010-0098.
\103\ See, e.g., Comments submitted by American Chemistry
Council, CISA-2022-0010-0098; CrowdStrike, CISA-2022-0010-0128.
\104\ See, e.g., Comments submitted by BlackBerry; CISA-2022-
0010-0036; American Property Casualty Insurance Association, CISA-
2022-0010-0064; Computing Technology Industry Association, CISA-
2022-0010-0122.
\105\ See, e.g., Comments submitted by the Cyber Threat
Alliance, CISA-2022-0010-0019; Airlines for America, CISA-2022-0010-
0066; Operational Technology Cybersecurity Coalition, CISA-2022-
0010-0108; Information Technology-ISAC, CISA-2022-0010-0048;
BlackBerry, CISA-2022-0010-0036.
---------------------------------------------------------------------------
Some commenters recommended additional safeguards for covered
entities using third-party reporters. A few commenters recommended that
CISA clarify the types of third parties authorized to submit reports on
behalf of the covered entity.\106\ One commenter recommended that CISA
consider entities like ISACs to be suitable third-party reporters.\107\
Multiple commenters also recommended that CISA allow third-party
submitters to register with CISA as a known third-party submitter.\108\
---------------------------------------------------------------------------
\106\ See, e.g., Comments submitted by Exelon Corp., CISA-2022-
0010-0043; The Associations: AFPM, AGA, API, APGA, INGAA, LEPA,
CISA-2022-0010-0057.
\107\ See, e.g., Comment submitted by the Association of
Metropolitan Water Agencies, CISA-2022-0010-0088.
\108\ See, e.g., Comments submitted by BSA <radical> The
Software Alliance, CISA-2022-0010-0106; SAP, CISA-2022-0010-0114;
Information Technology Industry Council, CISA-2022-0010-0097.
---------------------------------------------------------------------------
ix. Comments on Data and Records Preservation Requirements
Very few commenters offered recommendations related to data and
records preservation requirements. Several of those that did
recommended CISA not impose additional data and records preservation
requirements on covered entities via the CIRCIA regulation, and instead
defer to covered entities' existing legal obligations or specific
requests from law enforcement.\109\ Only one commenter offered
suggestions on the type of information that covered entities should
preserve,\110\ while a small number of commenters recommended lengths
of time for how long CISA should require information to be
preserved.\111\
---------------------------------------------------------------------------
\109\ See, e.g., Comments submitted by Mandiant, CISA-2022-0010-
0120; Accenture, CISA-2022-0010-0077; USTelecom--The Broadband
Association, CISA-2022-0010-0067.
\110\ See, e.g., Comment submitted by Sophos, Inc, CISA-2022-
0010-0047 (recommending that information preserved should include at
least all logs containing data related to the incident, such as
network logs, system logs, and access logs; all correspondence with
attackers, including any notes taken during any unrecorded
interactions; all identified TTPs and indicators of compromise; all
data related to any ransomware payment; and contact information of
individuals and entities that provided tactical support in the
incident response and investigation process).
\111\ See, e.g., Comments submitted by Sophos, Inc., CISA-2022-
0010-0047; SAP, CISA-2022-0010-0114; National Association of
Chemical Distributors, CISA-2022-0010-0056.
---------------------------------------------------------------------------
x. Comments on Other Existing Cyber Incident Reporting Requirements and
the Substantially Similar Reporting Exception
Many commenters offered feedback on the breadth of existing
Federal, SLTT, and international cyber incident reporting requirements,
and the potential for overlap, conflict, or alignment between CIRCIA
and those requirements. CISA will not summarize the specific reporting
requirements that commenters mentioned, because CISA provides a high-
level summary of these existing reporting requirements in Section III.B
in this document.
To avoid duplicative and burdensome reporting, several commenters
recommended that CISA align its reporting requirements with existing
Federal and SLTT requirements.\112\
[[Page 23659]]
Commenters frequently recommended that CISA consult with other Federal
departments and agencies with pre-existing regulatory authority in the
commenters' particular sectors to avoid duplicative requirements in the
CIRCIA regulation. Numerous commenters recommended that, alongside
harmonization efforts, CISA should establish a single, national point
of contact or process for mandatory cyber incident reporting,\113\
suggesting that DHS or CISA serve as the primary or sole entity for
receiving and disseminating cyber incident report information.\114\
Many commenters, noting the language in CIRCIA to this effect,
encouraged CISA to implement the reporting exemption for covered
entities that submit cyber incident reports with substantially similar
information to other Federal departments and agencies, within a
substantially similar timeframe.\115\ A few commenters offered criteria
for determining whether a report submitted to another Federal entity
constitutes ``substantially similar reported information.'' \116\
Commenters also offered suggestions on which existing reporting
obligations should be considered to include substantially similar
information. These suggestions included the Cyber Incident Notification
Requirements for Federally Insured Credit Unions (FICUs), located at 12
CFR 748.1; \117\ the DFARS incident reporting requirement, located at
48 CFR 252.204-7012; \118\ Cyber Security Event Notifications for
Commercial Nuclear Power Reactors, located at 10 CFR 73.77; TSA
Security Directive Pipeline-2021-01 series, Enhancing Pipeline
Cybersecurity; \119\ and the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) Breach Notification Rule, located at
45 CFR 164.400-414, and corresponding Health Information Technology for
Economic and Clinical Health (HITECH) Act Health Breach Notification
Rule, located at 16 CFR part 318, which applies to entities not subject
to the HIPAA Breach Notification Rule.\120\
---------------------------------------------------------------------------
\112\ See, e.g., Comments submitted by National Association of
Secretaries of State, CISA-2022-0010-0054; OCHIN, CISA-2022-0010-
0039; HIMSS Electronic Health Record Association, CISA-2022-0010-
0040; Alliance for Automotive Innovation, CISA-2022-0010-0082; Lucid
Motors, CISA-2022-0010-0078; Center for Democracy & Technology,
CISA-2022-0010-0068.
\113\ See, e.g., Comments submitted by Indiana Municipal Power
Agency, CISA-2022-0010-0018; HIMSS, CISA-2022-0010-0119; Exelon
Corp., CISA-2022-0010-0043; MITRE, CISA-2022-0010-0073; Options
Security Corporation, CISA-2022-0010-0160; Airport Council
International North America, CISA-2022-0010-0135; Cameron Braatz,
CISA-2022-0010-0154.
\114\ See, e.g., Comments submitted by The Associations, CISA-
2022-0010-0057: AFPM, AGA, API, APGA, INGAA, LEPA; Google Cloud,
CISA-2022-0010-; Express Association of America, CISA-2022-0010-
0038; Workgroup for Electronic Data Interchange, CISA-2022-0010-
0041; internet Infrastructure Coalition, CISA-2022-0010-0055;
American Council of Life Insurers, CISA-2022-0010-0095; Business
Roundtable, CISA-2022-0010-0115.
\115\ See, e.g., Comments submitted by the American Public Power
Association and the Large Public Power Council, CISA-2022-0010-0028;
National Rural Electric Cooperative Association, CISA-2022-0010-
0025; California Special Districts Association, CISA-2022-0010-0042;
Professional Services Council, CISA-2022-0010-0044; American
Association of Port Authorities, CISA-2022-0010-0126; Virginia Port
Authority, CISA-2022-0010-0052; CHIME, CISA-2022-0010-0035; AHIP,
CISA-2022-0010-0091.
\116\ See, e.g., Comments submitted by Payments Leadership
Council, CISA-2022-0010-0031 (recommending CISA consider a report to
include substantially similar information if ``the material essence
of the incident is reflected in the information contained within the
report to the other federal entity''); BSA [bond] The Software
Alliance, CISA-2022-0010-0106 (recommending that there be a
``rebuttable presumption that a report provided by a covered entity
to another federal entity is substantially similar'').
\117\ See, e.g., Comment submitted by NAFCU, CISA-2022-0010-
0076.
\118\ See, e.g., Comments submitted by U.S. Chamber of Commerce,
CISA-2022-0010-0075; National Defense ISAC, CISA-2022-0010-0144.
\119\ See, e.g., Comments submitted by Energy Transfer LP, CISA-
2022-0010-0037
\120\ See Comment submitted by Nuclear Energy Institute, CISA-
2022-0010-0029; see also comment submitted by Blue Cross Blue Shield
Association, CISA-2022-0010-0103.
---------------------------------------------------------------------------
xi. Comments on Noncompliance and Enforcement
A small number of commenters offered recommendations related to
noncompliance and enforcement of the CIRCIA regulations. These
commenters encouraged CISA to keep in mind that covered entities are
victims of an incident \121\ and recommended that CISA focus on
collaboration, not enforcement.\122\ Similarly, a number of commenters
recommended that CISA not penalize entities for reporting in good faith
under the rule.\123\ Such possible penalties that commenters
recommended CISA avoid included pursuing enforcement under CIRCIA or
allowing CIRCIA Reports to be the basis for enforcement actions by
other Federal departments and agencies under separate regulations.\124\
One commenter suggested that non-profit, self-incorporated fire and
Emergency Management Service departments be excluded from enforcement
in the same manner as SLTT Government Entities.\125\
---------------------------------------------------------------------------
\121\ See, e.g., Comments submitted by the National Technology
Security Coalition, CISA-2022-0010-0061; The Associations: BPI, ABA,
IIB, SIFMA, CISA-2022-0010-0046.
\122\ See, e.g., Comments submitted by Airlines for America,
CISA-2022-0010-0066; Connected Health Initiative, CISA-2022-0010-
0130; ACT--The App Association CISA-2022-0010-0129.
\123\ See, e.g., Comments submitted by the Association of
American Railroads, CISA-2022-0010-0117; SolarWinds, CISA-2022-0010-
0027; NTCA--The Rural Broadband Association, CISA-2022-0010-0100.
\124\ Id.
\125\ See, e.g., Comment submitted by the International
Association of Fire Chiefs, CISA-2022-0010-0081.
---------------------------------------------------------------------------
xii. Comments on Treatment and Restrictions on Use of CIRCIA Reports
Numerous commenters provided recommendations on the treatment and
restrictions on use of CIRCIA Reports and information therein. One
consistent theme throughout the comments on this topic was the notion
that CISA should take steps to ensure the confidentiality of the
information, including the identity of the victims of reported cyber
incidents, included in CIRCIA Reports.\126\ Some of the procedural
strategies recommended by commenters to achieve this include having
CISA anonymize and aggregate cyber incident report information prior to
sharing it with others,\127\ exempting CIRCIA Reports and/or the
information contained therein from release under FOIA and similar state
laws,\128\ and considering treating CIRCIA Reports as Protected
Critical Infrastructure Information, ``confidential,'' or ``secret.''
\129\ Numerous commenters also stressed the need for CISA to protect
information submitted in CIRCIA Reports through strong data protection
standards, data security practices, and data privacy safeguards.\130\
---------------------------------------------------------------------------
\126\ See, e.g., Comments submitted by IBM, CISA-2022-0010-0069;
Gideon Rasmussen, CISA-2022-0010-0011; Institute of International
Finance, CISA-2022-0010-0060; Powder River Energy Corporation, CISA-
2022-0010-0099.
\127\ See, e.g., Comments submitted by Fidelity National
Information Services, CISA-2022-0010-0033; UnityPoint Health, CISA-
2022-0010-0107; Institute of International Finance, CISA-2022-0010-
0060.
\128\ See,e.g., Comments submitted by Edison Electric Institute,
CISA-2022-0010-0079; HIMSS, CISA-2022-0010-0119; National Grain and
Feed Association, CISA-2022-0010-0104; NAFCU, CISA-2022-0010-0076.
\129\ See, e.g., Comments submitted by NCTA, CISA-2022-0010-
0102; SAP, CISA-2022-0010-0114.
\130\ See, e.g., Comments submitted by the Financial Services
Sector Coordinating Council, CISA-2022-0010-0094; The Clearing
House, CISA-2022-0010-0086; Payments Leadership Council, CISA-2022-
0010-0031.
---------------------------------------------------------------------------
Commenters also suggested several different limitations on the use
of the information contained in CIRCIA Reports. A number of commenters
recommended CISA include adequate liability protections in the proposed
regulation.\131\ Other commenters recommended CISA clarify that
reporting does not result in the waiver
[[Page 23660]]
of attorney-client privilege, trade secret protections, or other
privileges or protections.\132\ A few commenters recommended that
information contained in CIRCIA Reports be protected from discovery in
civil or criminal actions.\133\ One commenter recommended that the
various protections afforded to CIRCIA Reports still apply even in the
event that a CIRCIA Report is compromised (i.e., accessed by an
unauthorized individual or made public in an unauthorized manner).\134\
---------------------------------------------------------------------------
\131\ See, e.g., Comments submitted by American Chemistry
Council, CISA-2022-0010-0098; SolarWinds, CISA-2022-0010-0027; The
Associations: BPI, ABA, IIB, SIFMA, CISA-2022-0010-0046.
\132\ See, e.g., Comments submitted by CrowdStrike, CISA-2022-
0010-0128; U.S. Chamber of Commerce, CISA-2022-0010-0075; Connected
Health Initiative, CISA-2022-0010-0130.
\133\ See, e.g., Comments submitted by Connected Health
Initiative, CISA-2022-0010-0130; ACT [bond] The App Association,
CISA-2022-0010-0129.
\134\ See Comment submitted by submitted by Health-ISAC and the
Healthcare and Public Health Sector Coordinating Council
Cybersecurity Working Group, CISA-2022-0010-0123.
---------------------------------------------------------------------------
IV. Discussion of Proposed Rule
A. Definitions
Section 226.1 of the proposed rule contains proposed definitions
for certain terms used within the rule. These proposed definitions are
intended to help clarify the meaning of various terms used throughout
the proposed rule and promote consistency in application of the
regulatory requirements.
For a number of the terms, CISA proposes using, either verbatim or
with minor adjustments, definitions provided in the Definitions
sections of CIRCIA, as amended (6 U.S.C. 681). For several other terms
where CIRCIA does not include a CIRCIA-specific definition, CISA
proposes using, either verbatim or with minor adjustments, definitions
provided in the Definitions sections at Section 2 of the Homeland
Security Act of 2002 (6 U.S.C. 101) or at the beginning of Title XXII
of the Homeland Security Act of 2002 (6 U.S.C. 650), each as amended,
since definitions in those sections also apply to CIRCIA. Proposed
definitions that are derived from these legal authorities include:
cloud service provider; cyber incident; Cybersecurity and
Infrastructure Security Agency or CISA; cybersecurity threat; Director;
information system; managed service provider; ransom payment;
ransomware attack; supply chain compromise; and virtual currency.
Additionally, CISA is proposing definitions for a variety of terms
that will have a specific meaning within the proposed regulation. These
include CIRCIA; CIRCIA Agreement; CIRCIA Report; covered cyber
incident; Covered Cyber Incident Report; covered entity; Joint Covered
Cyber Incident and Ransom Payment Report; personal information; Ransom
Payment Report; State, Local, Tribal, or Territorial Government entity
or SLTT Government entity; substantial cyber incident; and Supplemental
Report. The basis for each of these proposed definitions is discussed
in their respective subsection below.
i. Covered Entity
Covered entity is a key term in the proposed regulation as, among
other things, it is the operative term used to describe the regulated
parties responsible for complying with the covered cyber incident and
ransom payment reporting and data and records preservation requirements
in the proposed CIRCIA regulation. While the statute includes a
definition for the term covered entity, the statute explicitly requires
CISA to further clarify the meaning of that term through description in
the CIRCIA rulemaking. Specifically, the statute defines covered entity
to mean ``an entity in a critical infrastructure sector, as defined in
Presidential Policy Directive 21, that satisfies the definition
established by the Director in the final rule issued pursuant to
section 681b(b) of this title.'' 6 U.S.C. 681(4). CIRCIA also requires
CISA to include a ``clear description of the types of entities that
constitute covered entities'' in the final rule based on various
specified factors. 6 U.S.C. 681b(c)(1).
CISA proposes to provide the criteria for covered entities in an
Applicability section at Sec. 226.2 of the regulation with a cross-
reference to the Applicability section in the Definitions section under
the term covered entity. See Section IV.B below and Sec. 226.2 for a
detailed discussion of the proposed covered entity criteria and the
``clear description of the types of entities that constitute covered
entities,'' required by 6 U.S.C. 681b(c)(1).
ii. Cyber Incident, Covered Cyber Incident, and Substantial Cyber
Incident
1. Cyber Incident
CISA is proposing to include in the regulation a definition of the
term cyber incident. The definition of cyber incident is important as
it will help bound the types of incidents that trigger reporting
requirements for covered entities under the proposed regulation.
CIRCIA states that the term cyber incident ``(A) has the meaning
given the term `incident' in section 2209; and (B) does not include an
occurrence that imminently, but not actually, jeopardizes--(i)
information on information systems; or (ii) information systems.'' See
6 U.S.C. 681(5). Section 2209's definition of ``incident'' has since
been moved to Section 2200 and defines the term ``incident'' as ``an
occurrence that actually or imminently jeopardizes, without lawful
authority, the integrity, confidentiality, or availability of
information on an information system, or actually or imminently
jeopardizes, without lawful authority, an information system.'' See 6
U.S.C. 650(12).\135\
---------------------------------------------------------------------------
\135\ The definition of ``incident'' was moved from Section 2209
of the Homeland Security Act (6 U.S.C. 659) to Section 2200 of the
Homeland Security Act (6 U.S.C. 650(12)) as part of the
consolidation of definitions in Section 7143 (CISA Technical
Corrections and Improvements) of the James M. Inhofe National
Defense Authorization Act for Fiscal Year 2023 (hereinafter, ``CISA
Technical Corrections''). Public Law 117-263, Div. G, Title LXXI,
Sec. 7143, Dec. 23, 2022. Section (f)(2) of the CISA Technical
Corrections includes a rule of construction that provides that
``[a]ny reference to a term defined in the Homeland Security Act of
2002 (6 U.S.C. 101 et seq.) on the day before the date of enactment
of this Act that is defined in section 2200 of that Act pursuant to
the amendments made under this Act shall be deemed to be a reference
to that term as defined in section 2200 of the Homeland Security Act
of 2002, as added by this Act.'' Pursuant to this rule of
construction, the cross-reference in CIRCIA's definition of ``cyber
incident'' to the definition of ``incident'' in Section 2209 of the
Homeland Security Act (6 U.S.C. 659) is deemed a reference to the
definition of ``incident'' in Section 2200 of the Homeland Security
Act (6 U.S.C. 650).
---------------------------------------------------------------------------
CISA is proposing to define cyber incident to mean an occurrence
that actually jeopardizes, without lawful authority, the integrity,
confidentiality, or availability of information on an information
system, or actually jeopardizes, without lawful authority, an
information system. The definition would use the 6 U.S.C. 650
definition verbatim other than striking the ``imminently jeopardizes''
clause in that definition, as required by 6 U.S.C. 681(5)(B).
2. Covered Cyber Incident
CIRCIA requires CISA to include within the proposed rule a
definition for the term covered cyber incident. See 6 U.S.C. 681(3).
Because CIRCIA requires covered entities to report only those cyber
incidents that qualify as covered cyber incidents to CISA, this
definition is essential for triggering the reporting requirement. CISA
is proposing to define the term covered cyber incident to mean a
substantial cyber incident experienced by a covered entity. CISA also
proposes definitions for both substantial cyber incident and covered
entity within this NPRM.
Within CIRCIA, Congress defined a covered cyber incident as ``a
substantial cyber incident experienced by a covered entity that
satisfies the definition and
[[Page 23661]]
criteria established by the Director in the final rule issued pursuant
to section 681b(b) of this title.'' See 6 U.S.C. 681(3). CISA believes
that defining a covered cyber incident to include all substantial cyber
incidents experienced by a covered entity rather than some subset
thereof is both consistent with the statutory definition of covered
cyber incident and is the least complicated approach to defining
covered cyber incidents.
Under this approach, a covered entity simply needs to determine if
a cyber incident is a substantial cyber incident for it to be reported,
rather than having to perform an additional analysis to determine if a
substantial cyber incident meets some narrower criteria for a covered
cyber incident. As the term substantial cyber incident is not used in
CIRCIA other than to help define a covered cyber incident, CISA does
not see any benefit to having one set of requirements for what
constitutes a substantial cyber incident and a separate set of
requirements for which substantial cyber incidents experienced by a
covered entity qualify as covered cyber incidents.
3. Substantial Cyber Incident
CISA is proposing to include within the rule a definition for the
term substantial cyber incident. Given CISA's proposal to define a
covered cyber incident as a substantial cyber incident experienced by a
covered entity, the term substantial cyber incident is essential to the
CIRCIA regulation as it identifies the types of incidents that, when
experienced by a covered entity, must be reported to CISA.
While CIRCIA does not define the term substantial cyber incident,
it provides minimum requirements for the types of substantial cyber
incidents that qualify as covered cyber incidents. See 6 U.S.C.
681b(c)(2)(A). Consistent with these minimum requirements, CISA
proposes the term substantial cyber incident to mean a cyber incident
that leads to any of the following: (a) a substantial loss of
confidentiality, integrity, or availability of a covered entity's
information system or network; (b) a serious impact on the safety and
resiliency of a covered entity's operational systems and processes; (c)
a disruption of a covered entity's ability to engage in business or
industrial operations, or deliver goods or services; or (d)
unauthorized access to a covered entity's information system or
network, or any nonpublic information contained therein, that is
facilitated through or caused by either a compromise of a cloud service
provider, managed service provider, other third-party data hosting
provider, or a supply chain compromise. CISA is further proposing that
a substantial cyber incident resulting in one of the listed impacts
include any cyber incident regardless of cause, including, but not
limited to, a compromise of a cloud service provider, managed service
provider, or other third-party data hosting provider; a supply chain
compromise; a denial-of-service attack; a ransomware attack; or
exploitation of a zero-day vulnerability. Finally, CISA is proposing
the term substantial cyber incident does not include (a) any lawfully
authorized activity of a United States Government entity or SLTT
Government entity, including activities undertaken pursuant to a
warrant or other judicial process; (b) any event where the cyber
incident is perpetrated in good faith by an entity in response to a
specific request by the owner or operator of the information system; or
(c) the threat of disruption as extortion, as described in 6 U.S.C.
650(22).\136\
---------------------------------------------------------------------------
\136\ The definition of ransomware attack contained in Section
2240(14)(A) was originally codified in 6 U.S.C. 681(14) but was
moved from 6 U.S.C. 681(14) to 6 U.S.C. 650(22) as part of the
consolidation of definitions in the CISA Technical Corrections,
supra note 135. The CISA Technical Corrections, however, did not
update this cross-reference in CIRCIA. Nevertheless, pursuant to the
rule of construction in Section (f)(2) of the CISA Technical
Corrections, the cross reference in 6 U.S.C. 681b(c)(2)(C)(ii) to
part of the definition of ransomware attack in 6 U.S.C. 681(14) is
deemed a reference to the definition of ransomware attack now in 6
U.S.C. 650 (Section 2200 of the Homeland Security Act).
---------------------------------------------------------------------------
In developing this proposed definition, CISA examined how other
Federal departments and agencies that regulate cyber incident reporting
define similar terminology for their reporting regimes, reviewed the
Model Definition for a Reportable Cyber Incident proposed by the
Secretary of Homeland Security in the CIRC-informed DHS Report to
Congress (the ``CIRC Model Definition''), and considered the many
comments received on this topic from stakeholders both at CIRCIA
listening sessions and in written comments submitted in response to the
CIRCIA RFI. CISA considered those various perspectives and approaches
both within the constraints explicitly imposed by CIRCIA and in light
of the purposes for which CISA believes CIRCIA was created as described
in Section III.C in this document.
The proposed definition contains the following elements: (1) a set
of four threshold impacts which, if one or more occur as the result of
a cyber incident, would qualify that cyber incident as a substantial
cyber incident; (2) an explicit acknowledgment that substantial cyber
incidents can be caused through compromises of third-party service
providers or supply chains, as well as various techniques and methods;
and (3) three separate types of incidents that, even if they were to
meet the other criteria contained within the substantial cyber incident
definition, would be excluded from treatment as a substantial cyber
incident. Each of these elements is addressed in turn below.
a. Minimum Requirements for a Cyber Incident To Be a Substantial Cyber
Incident
While Congress did not define the term substantial cyber incident
in CIRCIA, Congress did include minimum requirements for the types of
substantial cyber incidents that constitute covered cyber incidents.
See 6 U.S.C. 681b(c)(2)(A).\137\ Because CISA is proposing that a
covered cyber incident mean any substantial cyber incident experienced
by a covered entity (see Section IV.A.ii.2 in this document), CISA
interprets the minimum requirements enumerated in 6 U.S.C.
681b(c)(2)(A) as the minimum requirements an incident must meet to be
considered a substantial cyber incident (as opposed to a subset of
substantial cyber incidents that constitute covered cyber incidents).
Thus, while CISA has discretion to raise the threshold required for
something to be a substantial cyber incident, resulting in a reduction
of the number of incidents that would qualify as substantial, CISA may
not lower the threshold below the requirements enumerated in 6 U.S.C.
681b(c)(2)(A).
---------------------------------------------------------------------------
\137\ 6 U.S.C. 681b(c)(2)(A) states that the types of
substantial cyber incidents that constitute covered cyber incidents
must, ``at a minimum, require the occurrence of (i) a cyber incident
that leads to substantial loss of confidentiality, integrity, or
availability of such information system or network, or a serious
impact on the safety and resiliency of operational systems and
processes; (ii) a disruption of business or industrial operations,
including due to a denial-of-service attack, ransomware attack, or
exploitation of a zero day vulnerability, against (I) an information
system or network; or (II) an operational technology system or
process; or (iii) unauthorized access or disruption of business or
industrial operations due to loss of service facilitated through, or
caused by, a compromise of a cloud service provider, managed service
provider, or other third-party data hosting provider or by a supply
chain compromise.''
---------------------------------------------------------------------------
CISA believes that the minimum requirements enumerated in 6 U.S.C.
681b(c)(2)(A) create a sufficiently high threshold to prevent
overreporting by making it clear that routine or minor cyber incidents
do not need to be reported. Accordingly, CISA is proposing to use those
requirements as the basis for the first part of the definition of
substantial cyber incident,
[[Page 23662]]
with minor modifications for clarity and for greater consistency with
the CIRC Model Definition of a reportable cyber incident. Ultimately,
CISA is proposing four types of impacts that, if experienced by a
covered entity as a result of a cyber incident, would result in the
incident being classified as a substantial cyber incident and therefore
reportable under the CIRCIA regulation. Each of these impact types is
described in its own prong of the substantial cyber incident
definition.
i. Impact 1: Substantial Loss of Confidentiality, Integrity, or
Availability
Under the first proposed threshold impact, a cyber incident would
be considered a substantial cyber incident if it resulted in a
substantial loss of confidentiality, integrity, or availability of a
covered entity's information system or network. See Sec. 226.1 of the
proposed regulation. This impact reflects the substantive criteria
contained in the first part of 6 U.S.C. 681b(c)(2)(A)(i), which states
``a cyber incident that leads to substantial loss of confidentiality,
integrity, or availability of such information system or network.''
Although this prong does not explicitly mention operational technology
(OT)), CISA is using the term ``information system,'' (which, per the
proposed definition, as described in Section IV.A.iv.7 in this
document, includes OT) in this threshold and proposes to interpret this
aspect of the regulation to also specifically cover cyber incidents
that lead to substantial loss of confidentiality, integrity, or
availability of a covered entity's OT.
The concepts of confidentiality, integrity, and availability (CIA),
often referred to as the ``CIA triad,'' represent the three pillars of
information security.\138\ ``Confidentiality'' refers to ``preserving
authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information.''
\139\ ``Integrity'' refers to ``guarding against improper information
modification or destruction and ensuring information non-repudiation
and authenticity.'' \140\ ``Availability'' refers to ``ensuring timely
and reliable access to and use of information.'' \141\
---------------------------------------------------------------------------
\138\ See, e.g., NIST, Data Integrity: Identifying and
Protecting Assets Against Ransomware and Other Destructive Events,
NIST Special Publication 1800-25 Vol. A at 1 (Dec. 2020), available
at <a href="https://csrc.nist.gov/pubs/sp/1800/25/final">https://csrc.nist.gov/pubs/sp/1800/25/final</a>.
\139\ Id.
\140\ Id.
\141\ Id.
---------------------------------------------------------------------------
The loss of CIA of an information system, including OT, or network
can occur in many ways. For example, if an unauthorized individual
steals credentials or uses a brute force attack to gain access to a
system, they have caused a loss of the confidentiality of a system. If
that unauthorized individual uses that access to modify or destroy any
information on the system, they have caused a loss of the integrity of
the system and potentially a loss of the availability of the
information contained therein. A denial-of-service attack that renders
a system or network inaccessible is another example of an incident that
leads to a loss of the availability of the system or network. These are
just some of the many types of incidents that can lead to a loss of CIA
and would be reportable if the impacts are ``substantial.''
Whether a loss of CIA constitutes a ``substantial'' loss will
likely depend on a variety of factors, such as the type, volume,
impact, and duration of the loss. One example of a cyber incident that
typically would meet the ``substantial'' threshold for this impact type
is a distributed denial-of-service attack that renders a covered
entity's service unavailable to customers for an extended period of
time. Similarly, a ransomware attack or other attack that encrypts one
of a covered entity's core business or information systems
substantially impacting the confidentiality, availability, or integrity
of the entity's data or services likely also would meet the threshold
of a substantial cyber incident under this first impact type and would
need to be reported under the CIRCIA regulation. Persistent access to
information systems by an unauthorized third party would typically be
considered a substantial loss of confidentiality. By contrast, even
time-limited access to certain high-value information systems, such as
access to privileged credentials or to a domain controller, could also
be considered a substantial loss of confidentiality. A large-scale data
breach or otherwise meaningful exfiltration of data typically would
also be considered a substantial cyber incident as it would reflect a
substantial loss of the confidentiality of an information system. A
theft of data that may or may not itself meet the ``substantial''
impact threshold by nature of the data theft alone (based on the type
or volume of data stolen) could become a substantial cyber incident if
the theft is followed by a data leak or a credible threat to leak data.
Conversely, CISA would not expect a denial-of-service attack or other
incident that results in a covered entity's public-facing website being
unavailable for a few minutes to typically rise to the level of a
substantial cyber incident under this impact.\142\
---------------------------------------------------------------------------
\142\ The examples provided in this paragraph and elsewhere in
this section of what typically might or might not be considered a
substantial cyber incident are simply a few sample scenarios meant
to provide context around this discussion. The examples are not
meant as an exhaustive or definitive list of what is and is not a
substantial cyber incident. Whether something is or is not a
substantial cyber incident is fact-dependent and must be assessed on
a case-by-case basis. For example, while, as noted, an incident
resulting in a brief unavailability of a public-facing website would
typically not qualify as a substantial loss of availability, such an
incident may be significant for a covered entity whose public-facing
website is a core part of its service offering (such as a webmail
provider).
---------------------------------------------------------------------------
ii. Impact 2: Serious Impact on Safety and Resiliency of Operational
Systems and Processes
The second impact type of the proposed substantial cyber incident
definition would require a covered entity to report a cyber incident
that results in a serious impact on the safety and resiliency of a
covered entity's operational systems and processes. This impact
reflects the threshold enumerated in the second part of 6 U.S.C.
681b(c)(2)(A)(i), which states ``a cyber incident that leads to . . . a
serious impact on the safety and resiliency of operational systems and
processes.'' Safety is a commonly understood term, which NIST defines
as ``[f]reedom from conditions that can cause death, injury,
occupational illness, damage to or loss of equipment or property, or
damage to the environment.'' \143\ NIST defines resilience as ``[t]he
ability to prepare for and adapt to changing conditions and withstand
and recover rapidly from disruption,'' and operational resilience as
``[t]he ability of systems to resist, absorb, and recover from, or
adapt to an adverse occurrence during operation that may cause harm,
destruction, or loss of the ability to perform mission-related
functions.'' \144\
---------------------------------------------------------------------------
\143\ NIST, Developing Cyber-Resilient Systems, NIST Special
Publication 800-160 Vol. 2 Rev. 1, at 67 (Dec. 2021), available at
<a href="https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final">https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final</a>.
\144\ Id. at 65-66.
---------------------------------------------------------------------------
Similar to the interpretation of the word ``substantial'' in the
first impact type, whether an impact on the safety and resiliency of an
operational system or process is ``serious'' will likely depend on a
variety of factors, such as the safety or security hazards associated
with the system or process, and the scale and duration of the impact.
For example, a cyber incident that noticeably increases the potential
for a release of a hazardous material used in chemical manufacturing or
water purification likely would meet this
[[Page 23663]]
definition. Similarly, a cyber incident that compromised or disrupted a
BES cyber system that performs one or more reliability tasks would also
likely meet this prong of the substantial cyber incident definition.
Further, a cyber incident that disrupts the ability of a communications
service provider to transmit or deliver emergency alerts or 911 calls,
or results in the transmission of false emergency alerts or 911 calls,
would meet this definition. While CISA anticipates that the types of
incidents that will actually lead to a serious impact to the safety and
resilience of operational systems and processes may frequently involve
OT, CISA does not interpret ``operational systems and processes'' to be
a reference to OT. Congress used the specific phrase ``operational
technology'' elsewhere in CIRCIA--including in the immediate next
provision--and therefore certainly could have used it in this provision
if that was the intent. Compare 6 U.S.C. 681b(c)(2)(A)(i) with 6 U.S.C.
681b(c)(2)(A)(ii)(II)). Accordingly, CISA interprets this prong broadly
as not being limited to only incidents impacting OT, and covered
entities should report incidents that are covered cyber incidents under
this prong of the definition even if the impacts that meet the
threshold are not to OT.
iii. Impact 3: Disruption of Ability To Engage in Business or
Industrial Operations
The third impact of the proposed substantial cyber incident
definition would require a covered entity to report an incident that
results in a disruption of a covered entity's ability to engage in
business or industrial operations, or deliver goods or services. This
prong reflects criteria enumerated by Congress in both 6 U.S.C.
681b(c)(2)(A)(ii) and (iii), which provides that one type of incident
that could qualify as a substantial cyber incident that constitutes a
covered cyber incident is a cyber incident that causes a disruption of
business or industrial operations, including due to a denial-of-service
attack, ransomware attack, or exploitation of a zero-day vulnerability,
against (I) an information system or network; or (II) an operational
technology system or process; or unauthorized access or disruption of
business or industrial operations due to loss of service facilitated
through, or caused by, a compromise of a CSP, managed service provider,
or other third-party data hosting provider or by a supply chain
compromise.
In drafting this prong, CISA has added two clauses to the statutory
criteria relating to an entity's ability to engage in business
operations or deliver goods or services. CISA proposes adding these
clauses to this prong of the substantial cyber incident definition to
clarify CISA's understanding of the statutory language. CISA
understands that a disruption of business operations includes a
disruption to an entity's ability to engage in business operations and
the ability to deliver goods or services. CISA considers this language
to be a clarification of the statutory language, and not an expansion.
NIST defines a disruption as ``[a]n unplanned event that causes a .
. . system to be inoperable for a length of time (e.g., minor or
extended power outage, extended unavailable network, or equipment or
facility damage or destruction).'' \145\ As opposed to the statutory
source for the first two prongs of this definition, the portion of
CIRCIA from which this prong is drawn does not contain a qualifier such
as ``substantial'' or ``serious.'' Nevertheless, because this prong is
part of the threshold for a ``substantial'' cyber incident, CISA
believes it is appropriate to read into the prong some level of
significance. Like the previous prongs, whether a disruption rises to
the level of reportability may depend on a variety of factors and
circumstances, such as the scope of the disruption and what was
disrupted. A relatively minor disruption to a critical system or
network could rise to a high level of substantiality, while a
significant disruption to a non-critical system or network might not.
Generally speaking, incidents that result in minimal or insignificant
disruptions are unlikely to rise to the level of a substantial cyber
incident reportable under this prong; however, the specific
circumstances of the disruption should be taken into consideration.
---------------------------------------------------------------------------
\145\ NIST, Contingency Planning Guide for Federal Information
Systems, NIST Special Publication 800-34 Rev. 1, Appendix G, (May
2010), available at <a href="https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final">https://csrc.nist.gov/pubs/sp/800/34/r1/upd1/final</a>.
---------------------------------------------------------------------------
While 6 U.S.C. 681b(c)(2)(A)(ii) provides that this category
includes disruptions of business or industrial operations ``due to a
denial of service attack, ransomware attack, or exploitation of a zero
day vulnerability,'' CISA is not proposing to include this language in
this third prong, as CISA reads this language as being illustrative of
the types of incidents that might lead to a disruption of business or
industrial operations, rather than a limitation on the types of
incidents that can be reportable under this prong. To that end,
examples of cyber incidents that would meet this prong include the
exploitation of a zero-day vulnerability resulting in the extended
downtime of a covered entity's information system or network, a
ransomware attack that locks a covered entity out of its industrial
control system, or a distributed denial-of-service attack that prevents
customers from accessing their accounts with a covered entity for an
extended period of time. Another example would be where a critical
access hospital is unable to operate due to a ransomware attack on a
third-party medical records software company on whom the critical
access hospital relies; the critical access hospital, and perhaps the
medical records software company as well if it also is a covered
entity, would need to report the incident. Cyber incidents that result
in minor disruptions, such as short-term unavailability of a business
system or a temporary need to reroute network traffic, typically would
not be considered substantial under this prong.
iv. Impact 4: Unauthorized Access Facilitated Through or Caused by a:
(1) Compromise of a CSP, Managed Service Provider, or Other Third-Party
Data Hosting Provider, or (2) Supply Chain Compromise
The fourth prong of the proposed substantial cyber incident
definition would require a covered entity to report an incident that
results in unauthorized access to a covered entity's information system
or network, or any nonpublic information contained therein, that is
facilitated through or caused by a compromise of a CSP, managed service
provider, other third-party data hosting provider, or by a supply chain
compromise. This prong reflects criteria enumerated in 6 U.S.C.
681b(c)(2)(A)(iii).
NIST defines unauthorized access as occurring when an individual
``gains logical or physical access without permission to a network,
system, application, data, or other resource.'' \146\ Unauthorized
access causes actual jeopardy to information systems and the
information therein by compromising the first pillar of the CIA triad--
confidentiality--and by providing an adversary with a launching off
point for additional penetration of a system or network. Much like the
third prong, the source language in CIRCIA does not contain any
qualifier such as ``substantial'' or ``serious.'' However, unlike that
prong, CISA understands the absence of a qualifier here to be a
reflection of the seriousness of
[[Page 23664]]
unauthorized access through a third party (such as a managed service
provider or CSP) or a supply chain compromise. Such cyber incidents
uniquely have the ability to cause significant or substantial nation-
level impacts, even if the impacts at many of the individual covered
entities are relatively minor. The legislative intent makes clear that
supply chain compromises such as the ``SUNBURST'' malware that
compromised legitimate updates of customers using the SolarWinds Orion
product, and third-party incidents like the compromise of the managed
service provider Kaseya, were major drivers of the passage of
CIRCIA.\147\ CISA therefore understands that this prong reflects a
recognition that CISA needs visibility into the breadth of a third-
party incident or supply chain compromise to adequately meet its
obligations under CIRCIA.
---------------------------------------------------------------------------
\146\ NIST, Guide to Industrial Control Systems Security, NIST
Special Publication 800-82 Rev. 3, at 168 (Sept. 2023), available at
<a href="https://csrc.nist.gov/pubs/sp/800/82/r3/final">https://csrc.nist.gov/pubs/sp/800/82/r3/final</a>.
\147\ See, e.g., CHS Fact Sheet, supra note 16, (referencing the
SolarWinds supply chain compromise); Comm. on Homeland Security and
Governmental Affairs, Staff Report: America's Data Held Hostage:
Case Studies in Ransomware Attacks on American Companies, 25-27
(Mar. 2022) (discussing the Kaseya ransomware attacks), available at
<a href="https://www.hsgac.senate.gov/library/files/americas-data-held-hostage-case-studies-in-ransomware-attacks-on-american-companies/">https://www.hsgac.senate.gov/library/files/americas-data-held-hostage-case-studies-in-ransomware-attacks-on-american-companies/</a>;
Business Meeting, Homeland Security and Governmental Affairs
Committee, Opening Remarks by Ranking Member Rob Portman (Oct. 6,
2021), (citing SolarWinds as an example of an event that shows why
greater transparency of these types of events through cyber incident
reporting to CISA is needed), available at <a href="https://www.hsgac.senate.gov/hearings/10-06-2021-business-meeting/">https://www.hsgac.senate.gov/hearings/10-06-2021-business-meeting/</a>;
Stakeholder Perspectives Hearing, supra note 17, at 55 (Statement of
Rep. James Langevin) (``The SolarWinds breach has brought new
attention to the issue of incident reporting, and for good
reason.''); 168 Cong. Rec. S1149 (daily ed. Mar. 14, 2022)
(statement of Sen. Mark Warner) (``The SolarWinds breach
demonstrated how broad the ripple effects of these attacks can be,
affecting hundreds or even thousands of entities connected to the
initial target.'').
---------------------------------------------------------------------------
Examples of cyber incidents that CISA typically would consider
meeting this prong include a detected, unauthorized intrusion into an
information system or the exfiltration of information as a result of a
supply chain compromise (see Section IV.A.iv.13 for further discussion
on the meaning of supply chain compromise). Similarly, unauthorized
access that was achieved through exploitation of a vulnerability in the
cloud services provided to a covered entity by a CSP or by leveraging
access to a covered entity's system through a managed service provider
would meet this prong. Conversely, because the statute requires the
unauthorized access to have been facilitated through or caused by a
compromise of a third-party service provider or supply chain
compromise, unauthorized access that results from a vulnerability
within proprietary code developed by the covered entity or a gap in the
covered entity's access control procedures that allows an unauthorized
employee administrative access to the system would not constitute a
substantial cyber incident under this prong (though could still qualify
as a substantial cyber incident under one of the first three prongs if
it resulted in the requisite impact levels).
b. Guidance for Assessing Whether an Impact Threshold Is Met
When evaluating whether a cyber incident meets one of the four
proposed impact thresholds that would qualify it as a substantial cyber
incident, a covered entity should keep in mind several principles.
First, an incident needs to meet only one of the four prongs, not all
four of the prongs, for it to be a substantial cyber incident. CISA
believes Congress's use of the word ``or'' in 6 U.S.C. 681b(c)(2)(A)
was intentional and was meant to confer the fact that for an incident
to be a substantial cyber incident that meets the threshold of a
covered cyber incident it only had to meet one of the enumerated
criteria, not all the enumerated criteria. CISA's proposed definition
for substantial cyber incident follows this example, using ``or''
intentionally to indicate that if an incident meets any of the
enumerated criteria within the definition it is a substantial cyber
incident. This approach is also consistent with the CIRC Model
Definition, with which, for the reasons discussed below, CISA attempted
to align to the extent practicable.
Second, for an incident to qualify as a substantial cyber incident,
CISA interprets CIRCIA to require the incident to actually result in
one or more of the impacts described above. A number of other cyber
incident reporting regulations do not require actual impacts for an
incident to have to be reported; rather, some require reporting if an
incident results in imminent or potential harm, or identification of a
vulnerability. While good policy rationales exist for both approaches
in various contexts, CISA believes the phrase ``require the occurrence
of'' in 6 U.S.C. 681b(c)(2)(A) limits reportable incidents under CIRCIA
to those that have actually resulted in at least one of the impacts
described in that section of CIRCIA. Likewise, CIRCIA's definition of
cyber incident (of which substantial cyber incidents are a subset)
specifically omits occurrences imminently, but not actually,
jeopardizing information systems or information on information systems.
6 U.S.C. 681(5). Consequently, if a cyber incident jeopardizes an
entity or puts the entity at imminent risk of threshold impacts but
does not actually result in any of the impacts included in the proposed
definition, the cyber incident does not meet the definition of a
substantial cyber incident. Similarly, if malicious cyber activity is
thwarted by a firewall or other defensive or mitigative measure before
causing the requisite level of impact, it would not meet the proposed
definition of a substantial cyber incident and would not have to be
reported. Consequently, blocked phishing attempts, failed attempts to
gain access to systems, credentials reported missing but that have not
been used to access the system and have since been rendered inactive,
and routine scanning that presents no evidence of penetration are
examples of events or incidents that typically would not be considered
substantial cyber incidents. To both convey this intention and to more
closely align with the language used in the CIRC Model Definition, CISA
is proposing ``a cyber incident that leads to'' as the introductory
language before the enumerated threshold prongs. CISA believes the
phrase ``leads to'' satisfactorily conveys that a covered entity must
have experienced one of the enumerated impacts for an incident to be
considered a substantial cyber incident.
Third, the type of TTP used by an adversary to perpetrate the cyber
incident and cause the requisite level of impact is typically
irrelevant to the determination of whether an incident is a substantial
cyber incident.\148\ CISA believes that the specific attack vector or
TTP used to perpetrate the incident (e.g., malware, denial-of-service,
spoofing, phishing) should not be relevant to determining if an
incident is a substantial cyber incident if one of the impact threshold
prongs are met. One of the primary purposes of the CIRCIA regulation is
to allow CISA the ability to identify TTPs being used by adversaries to
cause cyber incidents. Limiting reporting to a specific list of TTPs
that CISA currently is aware of would inhibit CISA's ability to fully
understand the dynamic cyberthreat landscape as it evolves over time or
be able to warn infrastructure owners and
[[Page 23665]]
operators of novel or reemerging TTPs. (See further discussion in
Section IV.A.ii.3.f of this document describing why CISA is proposing
not to use the sophistication or novelty of the tactics used to narrow
the definition of substantial cyber incidents.) This is also consistent
with CIRCIA's statutory language, which references certain types of
TTPs, such as denial-of-service attacks or exploitation of a zero-day
vulnerability, as only examples, rather than a limitation on reportable
covered cyber incidents. See 6 U.S.C. 681b(c)(2)(A)(ii).
---------------------------------------------------------------------------
\148\ The primary exception is the fourth prong, which is
limited to instances where unauthorized access was facilitated
through or caused by a compromise of a CSP, managed service
provider, or another third-party data hosting provider, or by a
supply chain compromise. However, even within this vector-specific
prong, the specific TTPs used by the threat actor to compromise a
third-party provider or the supply chain is not relevant to whether
the incident is reportable.
---------------------------------------------------------------------------
Fourth, for similar reasons, CISA has elected not to limit the
definition of substantial cyber incident to impacts to specific types
of systems, networks, or technologies. A number of commenters suggested
that CISA should only require reporting of incidents that impact
critical systems. CISA is proposing that under CIRCIA, if a cyber
incident impacting a system, network, or technology that an entity may
not believe is critical nonetheless results in actual impacts that meet
the level of one or more of the threshold impact prongs, then the
incident should be reported to CISA. In addition to helping ensure CISA
receives reports on substantial cyber incidents even if they were
perpetrated against a system, network, or technology deemed non-
critical by the impacted covered entity, this approach also has the
benefit of alleviating the need for a covered entity to proactively
determine which systems, networks, or technologies it believes are
``critical'' and instead focus solely on the actual impacts of an
incident as the primary determining factor as to whether a cyber
incident is a reportable substantial cyber incident. For similar
reasons, CISA is proposing to include, but not specifically
distinguish, cyber incidents with impacts to OT. While it may be the
case that cyber incidents affecting OT are more likely to meet the
impact thresholds in the definition of substantial cyber incident, CISA
did not want to artificially scope out cyber incidents that primarily
impact business systems but nevertheless result in many of the same
type of impacts that could result from a cyber incident affecting OT.
Fifth, CISA is aware that in some cases, a covered entity will not
know for certain the cause of the incident within the first few days
following the occurrence of the incident. As is discussed in greater
detail in Section IV.E.iv on the timing of submission of CIRCIA
Reports, a covered entity does not need to know the cause of the
incident with certainty for it to be a reportable substantial cyber
incident. For incidents where the covered entity has not yet been able
to confirm the cause of the incident, the covered entity must report
the incident if it has a ``reasonable belief'' that a covered cyber
incident occurred. If an incident meets any of the impact-based
criteria, it would be reportable if the covered entity has a
``reasonable belief'' that the threshold impacts occurred as a result
of activity without lawful authority, even if the specific cause is not
confirmed. For the fourth prong, a reasonable belief that unauthorized
access was caused by a third-party provider or a supply chain
compromise would be sufficient to trigger a reporting obligation, even
if the cause of the cyber incident was not yet confirmed. As discussed
in Section III.C.ii on the purposes of the regulation, timely reporting
is of the essence for CISA to be able to quickly analyze incident
reports, identify trends, and provide early warnings to other entities
before they can become victims. Accordingly, CISA believes its ability
to achieve the regulatory purposes of CIRCIA would be greatly
undermined if covered entities were allowed to delay reporting until an
incident has been confirmed to have been perpetrated without lawful
authority. Therefore, an incident whose cause is undetermined, but for
which the covered entity has a reasonable belief that the incident may
have been perpetrated without lawful authority, must be reported if the
incident otherwise meets the reporting criteria. If, however, the
covered entity knows with certainty the cause of the incident, then the
covered entity only needs to report the incident if the incident was
perpetrated without lawful authority.
Finally, CISA expects a covered entity to exercise reasonable
judgment in determining whether it has experienced a cyber incident
that meets one of the substantiality thresholds. If a covered entity is
unsure as to whether a cyber incident meets a particular threshold,
CISA encourages the entity to either proactively report the incident or
reach out to CISA to discuss whether the incident needs to be reported.
c. Reportability of Cyber Incidents Regardless of Cause
As noted in Section IV.A.ii.3.a.iv of this document, the CIRCIA
statute limits which cyber incidents only involving unauthorized access
can be considered a substantial cyber incident. Specifically, the
statute states that to be considered a substantial cyber incident based
on unauthorized access alone (without any of the impacts listed in the
first three prongs, such as where the unauthorized access does not
result in a ``substantial'' loss of confidentiality, integrity, or
availability under the first prong), a cyber incident must be
facilitated through or caused by a compromise of a CSP, managed service
provider, another third-party data hosting provider, or by a supply
chain compromise. See 6 U.S.C. 681b(c)(2)(A)(iii). Cyber incidents
resulting in impacts other than unauthorized access and described in
the first three impact prongs are not limited by the source or cause in
the same manner. Similarly, as noted in Section IV.A.ii.3.a.iii of this
document, CISA does not view the language in 6 U.S.C. 681b(c)(2)(A)(ii)
regarding denial-of-service attacks, ransomware attacks, or
exploitation of a zero-day vulnerability as suggesting a limitation on
the vector or type of incidents in the third prong, or to suggest that
denial-of-service attacks, ransomware attacks, or exploitation of a
zero-day vulnerability that leads to the impacts described in the first
two prongs would not be reportable if the impact thresholds are
otherwise met. To ensure it is clear that cyber incidents resulting in
threshold impacts other than unauthorized access should be reported
regardless of cause or vector, including whether they were or were not
facilitated through or caused by a compromise of a third-party service
provider or supply chain compromise, denial-of-service attack,
ransomware attack, or exploitation of a zero-day vulnerability, CISA is
proposing to include in the definition of substantial cyber incident
explicit language to that effect. Specifically, CISA is proposing to
include in the definition of substantial cyber incident the statement
that a substantial cyber incident resulting in any of the threshold
impacts identified in the first three prongs includes any cyber
incident regardless of cause. See proposed Sec. 226.1. As indicated in
the proposed regulatory text, CISA interprets the phrase ``regardless
of cause'' to include, but not be limited to, incidents caused by a
compromise of a CSP, managed service provider, or other third-party
data hosting provider; a supply chain compromise; a denial-of-service
attack; a ransomware attack; or exploitation of a zero-day
vulnerability.
In today's complex cyber environment, entities frequently rely on
third parties for various IT-related services, such as hosting,
administering, managing, or securing networks, systems, applications,
infrastructure, and digital information. Depending on what services are
being provided, these third-party service providers--be they CSPs,
managed service providers, or other third-party data hosting
[[Page 23666]]
providers--via the systems and networks they manage, may provide an
additional avenue through which nefarious individuals can seek to
impact a service provider's customer's information systems or the
information contained therein, which may also impact a covered entity.
Similarly, adversaries may seek to impact covered entities by
exploiting elements of the supply chain that a covered entity may rely
upon.
This part of the substantial cyber incident definition is intended,
in part, to ensure that a covered entity reports cyber incidents
experienced by the covered entity that rise to the level of
substantiality that warrants reporting even if the cyber incident in
question was caused by a compromise of a product or service managed by
someone other than the covered entity. This clause is important to
prevent the creation of a ``blind spot'' where the covered entity
experiences a substantial cyber incident but escapes required reporting
based on the manner in which the incident was initiated or perpetrated.
Congress recognized the importance of this approach, and explicitly
authorized it in CIRCIA for incidents that resulted in ``unauthorized
access or disruption of business or industrial operations due to loss
of service facilitated through, or caused by, a compromise of a cloud
service provider, managed service provider, or other third-party data
hosting provider or by a supply chain compromise.'' 6 U.S.C.
681b(c)(2)(A)(iii).
CISA believes the policy rationale for applying this provision to
incidents resulting in unauthorized access or disruption of business or
industrial operations (the third and fourth threshold prongs) applies
equally to incidents resulting in a substantial loss of CIA, or a
serious impact on the safety and resiliency of operational systems and
processes (the first and second prongs). Accordingly, CISA proposes
including this clause as a full part of the substantial cyber incident
definition, so that it applies to cyber incidents that result in
impacts meeting any of the four impact threshold prongs.
While a covered entity must report qualifying incidents that are
the result of a compromise of a CSP, managed service provider, or other
third-party data hosting provider, or by a supply chain compromise, it
is important to note that this imposes reporting requirements solely on
the covered entity that the incident impacts at a threshold level.
Accordingly, a CSP, managed service provider, or other third-party
service provider is not obligated, by virtue of this provision, to
report an incident that causes threshold level impacts to one of its
customers even if the impacts are the result of a compromise of the
third-party's services, network, software, etc. A third-party service
provider only needs to report a cyber incident if (a) the third-party
service provider independently meets the definition of covered entity,
and (b) the third-party service provider itself experiences impacts
that rise to the level of a substantial cyber incident. Note, however,
a covered entity third-party provider could experience a reportable
substantial cyber incident without the third-party service provider
experiencing direct impacts from a cyber incident that exploits or
compromises their information networks or systems. This would be the
case where a cyber incident facilitated through or caused by a
compromise of the third-party service provider meeting the definition
of a covered entity caused enough impacts to one or more of the
provider's customers that the cumulative effect of the incident
resulted in a substantial disruption of the third-party service
provider's business operations.
This part of the proposed substantial cyber incident definition is
also intended to emphasize that the first three prongs of the
definition of substantial cyber incident are also TTP, incident type,
and vector agnostic. While denial-of-service attack, ransomware attack,
and exploitation of a zero-day vulnerability are specifically listed in
this part of the definition in light of their inclusion in 6 U.S.C.
681b(c)(2)(A)(ii), their inclusion in the statute and this part of the
definition are as examples only. Any cyber incident experienced by a
covered entity, regardless of cause, that meets the impact thresholds
in the first three prongs of the definition of substantial cyber
incident would be considered a substantial cyber incident. This
includes, for example, exploitation of a previously known
vulnerability, and not just exploitation of a zero-day vulnerability.
For further examples of incidents that typically would and would not be
considered a substantial cyber incident, see Section IV.A.ii.3.e of
this document.
d. Exclusions
In 6 U.S.C. 681b(c)(2)(C), Congress identified two types of events
that CISA must exclude from the types of incidents that constitute
covered cyber incidents. Specifically, Congress stated that CISA was to
``exclude (i) any event where the cyber incident is perpetrated in good
faith by an entity in response to a specific request by the owner or
operator of the information system; and (ii) the threat of disruption
as extortion, as described in section 2240(14)(A).'' 6 U.S.C.
681b(c)(2)(C). In addition, CISA is proposing excluding any lawfully
authorized U.S. Government or SLTT Government entity activity including
activities undertaken pursuant to a warrant or other judicial process.
CISA is proposing to incorporate these exclusions into the
definition of substantial cyber incident by proposing a statement
reiterating these exclusions at the end of the definition itself. The
statement added to the proposed definition of substantial cyber
incident is taken almost verbatim from the CIRC Model Definition which
itself includes both of the exclusions contained in 6 U.S.C.
681b(c)(2)(C). Additional information on each of the prongs of this
exclusory statement are contained in the following three subsections.
i. Lawfully Authorized Activities of a United States Government Entity
or SLTT Government Entity
CISA proposes excluding from the definition of substantial cyber
incident any lawfully authorized United States Government entity or
SLTT Government entity activity, including activities undertaken
pursuant to a warrant or other judicial process. This exception, which
is similar to an exception contained in the CIRC Model Definition, is
intended to except from reporting any incident that occurs as the
result of a lawful activity of a Federal or SLTT law enforcement
agency, Federal intelligence agency, or other Federal or SLTT
Government entity. This exception does not, however, allow a covered
entity to delay or forgo reporting a covered cyber incident to CISA
because it has reported a covered cyber incident to, or is otherwise
working with, law enforcement. It simply says that a lawful activity
conducted by a Federal or SLTT governmental entity, such as a search or
seizure conducted pursuant to a warrant, is not itself a substantial
cyber incident.
CISA believes this exception is warranted as reports on lawful
Federal or SLTT government activity would in no meaningful way further
the articulated purposes of the regulation, such as analyzing adversary
TTPs and enabling a better understanding of the current cyber threat
environment. This exception provides further clarity on the scope of
cyber incident, which is defined as an occurrence ``without lawful
authority.'' Moreover, failure to exclude such incidents from required
reporting could negatively impact a covered entity's willingness to
work
[[Page 23667]]
with Federal or SLTT law enforcement, intelligence, or other government
agencies if such cooperation could result in new regulatory reporting
obligations.
ii. Incidents Perpetrated in Good Faith by an Entity in Response to a
Specific Request by the Owner or Operator of the Information System
Section 681b(c)(2)(C)(i) of title 6, United States Code, states
that the description of the types of substantial cyber incidents that
constitute covered cyber incidents shall exclude ``any event where the
cyber incident is perpetrated in good faith by an entity in response to
a specific request by the owner or operator of the information
system.'' CISA is proposing incorporating this exclusion verbatim into
the proposed definition of substantial cyber incident.
There are a variety of situations in which a cyber incident could
occur at a covered entity as the result of an entity acting in good
faith to a request of the owner or operator of the information system
through which the cyber incident was perpetrated. One example of this
would be if a third-party service provider acting within the parameters
of a contract with the covered entity unintentionally misconfigures one
of the covered entity's devices leading to a service outage. Another
example would be a properly authorized penetration test that
inadvertently results in a cyber incident with actual impacts. Congress
intended that such incidents, when the result of good faith actions
conducted pursuant to a specific request by the owner or operator of
the information system at issue, be excluded from the CIRCIA reporting
requirements.
In addition to the examples provided above, CISA interprets this
exclusion to also exclude from reporting cyber incidents that result
from security research testing conducted by security researchers who
have been authorized by the covered entity or the owner or operator of
the impacted information system to attempt to compromise the system,
such as in accordance with a vulnerability disclosure policy or bug
bounty programs published by the owner or operator. However, because
the exception only applies to ``cyber incident[s] perpetrated in good
faith . . . in response to a specific request by'' the information
system owner or operator, this exception would only apply to this type
of research where the bug bounty program, vulnerability disclosure
policy, or other form of authorization preceded the discovery of the
incident. That said, CISA anticipates that this example would occur
rarely, as good faith security research should generally stop at the
point the vulnerability can be demonstrated and should not typically
engage in activity that would result in a covered cyber incident.\149\
---------------------------------------------------------------------------
\149\ See, e.g., CISA, Vulnerability Disclosure Policy Template
(``Only use exploits to the extent necessary to confirm a
vulnerability's presence. Do not use an exploit to compromise or
exfiltrate data, establish persistent command line access, or use
the exploit to pivot to other systems.''), available at <a href="https://www.cisa.gov/vulnerability-disclosure-policy-template-0">https://www.cisa.gov/vulnerability-disclosure-policy-template-0</a>.
---------------------------------------------------------------------------
Regarding this exclusion, the request that causes the incident need
not necessarily come from the impacted covered entity itself, but
rather from the owner or operator of the information system at issue.
While the owner or operator of the information system through which the
incident was caused will often be the covered entity, that may not
always be the case. For example, in some situations involving a CSP or
managed service provider, the service provider may duly authorize a
penetration test on its own systems or software. If such testing
inadvertently resulted in a cyb
[…truncated; see source link]Indexed from Federal Register on April 4, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.