In a significant move by the U.S. Government, President Biden signed the Consolidated Appropriations Act, 2022, H.R. 2471 into law on March 15, 2022. Labeled a “game-changer” by U.S. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act) will take more shape as CISA undertakes proposed rulemaking and subsequently issues a final rule, which will set forth the effective date of the Act’s reporting requirements. CISA has 24 months from the final enactment date of March 15, 2022 to publish a notice of proposed rulemaking, and up to 18 months after the proposed rulemaking to issue a final rule.
Key takeaways at this time include:
1. The Act imposes reporting obligations on covered entities. While the Act does not formally define “covered entity,” it does note that additional definitional guidance will be contained within the proposed rulemaking and final rule, and that the concept will encompass entities in one of the 16 critical infrastructure sectors defined in Presidential Policy Directive 21. The 16 critical infrastructure sectors are: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, material, and waste; transportation systems; and water and wastewater systems. The Act encourages voluntary reporting by organizations regardless of whether they do or will meet the definition of a “covered entity” under the Act.
2. Covered cyber incidents must be reported to CISA within 72 hours of occurrence. The Act does not formally define “covered cyber incidents” or “occurrence,” but the formal definition will be forthcoming in the proposed rulemaking and final rule. However, the Act does provide some parameters on the types of events that will be considered “covered cyber incidents,” which includes: substantial loss of confidentiality of data; disruption of business due to denial of service attacks; ransomware attacks; and attacks on vendors of “covered entities.” Per the Act, a covered cyber incident report to CISA must, at a minimum, include certain information about the incident such as: (1) a description of the affected information systems; (2) a description of the vulnerabilities exploited; (3) security defenses in place and tactics, techniques and procedures used to perpetrate the incident; (4) information about the actor(s) reasonably believed to be responsible for the incident; and (5) the identification of categories of information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person.
3. Ransom payments resulting from a ransomware attack must be reported within 24 hours of such payment being made. The Act defines a “ransomware attack” as “an incident that includes the use or threat of use of unauthorized or malicious code on an information system to interrupt or disrupt operations or compromise the confidentiality, availability, or integrity of data in order to extort a ransom payment.” The Act requires that a ransom payment report to CISA include, at a minimum: (1) a description of the ransomware attack; (2) a description of the vulnerabilities exploited and tactics, techniques and procedures used to perpetrate the attack; (3) information about the actor(s) reasonably believed to be responsible for the attack; (4) the date of the ransom payment; (5) the ransom payment demand and virtual currency requested; (6) ransom payment instructions and information regarding where to send the payment; and (7) the ransom amount paid.
4. Covered entities are required to file initial and supplemental reports. Under the Act, covered entities must promptly submit supplemental reports to CISA if “substantial new or different” information becomes available until the incident is resolved.
5. Third parties may report on behalf of a covered entity. A third-party acting on a covered entity’s behalf, including a law firm, insurance company or incident response company, may submit a required report. Any third-party that makes a ransomware payment on behalf of a covered entity is required to advise the impacted entity regarding the duty to report the ransom payment under the Act.
6. Reporting under the Act is in addition to, and not instead of, other reporting obligations. The Act’s reporting requirements do not affect or replace any other legal reporting requirements a covered entity may have. However, the Act does allow an exemption for “a covered entity required by law, regulation, or contract to report substantially similar information to another Federal agency within a substantially similar timeframe.”
7. CISA will share information received via covered entity reporting. Per the Act, CISA will immediately review a submitted report to determine whether the relevant cyber incident is connected to any ongoing cyber threat or security vulnerability and share related anonymized cyber threat indicators and defensive measures with appropriate stakeholders. Additionally, the reports will be used to aggregate and analyze information to: (1) assess the effectiveness of security controls; (2) identify tactics used to overcome security controls; and (3) assess potential impact of incidents on public health and safety. The reports will also be shared with appropriate federal bodies to identify and track ransom payments. The Act prohibits the contents of any reports to be used for regulation or enforcement actions. These reports are also exempted from the Freedom of Information Act.
8. CISA is empowered to act in response to covered entity non-compliance. The Act incentivizes compliance with the reporting obligations by prohibiting the contents of any reports being used for enforcement actions. However, CISA is authorized to request information from a covered entity that fails to submit a required report. If the covered entity does not respond or provide adequate information to CISA within 72 hours from the request, CISA may issue a subpoena for the information. The Act stipulates that an entity may ultimately be subject to a civil action, enforcement action or criminal prosecution depending on the information received in response to the subpoena.
If you have any questions about the Act and how it may pertain to your organization or industry sector, please contact Jeffrey J. Boogay (; 267.930.4784), Ryli McDonald (; 267.930.2623) or another one of our data privacy and security professionals.