President Biden has signed into law the Consolidated Appropriations Act of 2022 (2022 CAA), which includes the Cyber Incident Reporting for Critical Infrastructure Act (Cyber Incident Reporting Act).  The Cyber Incident Reporting Act requires certain critical infrastructure entities to swiftly report certain cyber incidents and ransomware payments to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (Agency).  A Notice of Proposed Rulemaking (NPRM) will be issued within two years proposing the final rules to implement the requirements included in the Cyber Incident Reporting Act.

Bottom Line: With the passage of the 2022 CAA, the Agency is now tasked with issuing an NPRM proposing new reporting requirements for critical infrastructure entities.  These new reporting requirements will require covered entities to report certain cyber incidents within 72 hours and report ransomware payments within 24 hours.  These reporting requirements will not be effective for at least two years given that final rules first must be proposed and then published.

Cyber Incident Reporting for Critical Infrastructure Act

Cyber Incident Review

This law will require the Agency’s National Cybersecurity and Communications Integration Center (Center) to review and analyze reports made by covered entities  related to a covered cyber incident.   Within 24 hours of receiving a submitted report, subject to change by the President or a designee of the President, the Center will be required to make this information available to the appropriate Sector Risk Management Agencies  and other appropriate federal agencies.  The Center will also assess the effectiveness of security controls and identify tactics and techniques to overcome the cybersecurity threat.  

This information will also be shared with the appropriate federal agencies and departments to enhance the effectiveness of coordination efforts.  In addition, the Center will also be tasked with: (1) establishing mechanisms to receive feedback from stakeholders on its processes; (2) facilitating timely sharing of cyber incident information with critical infrastructure owners and operators; and (3) publishing quarterly unclassified, public reports that aggregate cyber incident observations and recommendations.

No later than 60 days after the effective date of the final rules,  the Agency, on the first day of each month, shall provide congressional leadership a briefing that characterizes the national cyber threat landscape by identifying trends in cyber incidents and ransomware attacks.

Required Reporting of Cyber Incidents

Initial Reporting

A covered entity that experiences a covered cyber incident must report the incident to the Agency no later than 72 hours after the covered entity reasonably believes that a cyber incident has occurred.  In regard to ransom payments made as a result of a ransomware attack, a covered entity must report the payment to the Agency no later than 24 hours after the payment has been made. This also applies to ransomware payments made in the face of a ransomware attack that is not defined as a covered cyber incident.  However, if a covered entity experiences a covered cyber incident and makes a ransom payment prior to the deadline for the 72-hour report, it may submit a single report to satisfy the requirements of both rules.  

Updates to Initial Report

After submitting the initial report, covered entities must promptly submit updates and supplements to the Agency if substantially new or different information becomes available or if the covered entity makes a ransom payment after submitting a cyber-incident report.  Updates must be reported until the covered entity notifies the Agency that the covered cyber incident at issue has been resolved.  Entities reporting this information are required to preserve data relevant to the cyber incident or ransom payment in accordance with the procedures to be established in the final rules.

Where the Agency has an agreement in place with another federal agency that satisfies the reporting requirements, the covered entity will not be required to report substantially similar information in a similar timeframe.  This exemption will not apply until there is an agency agreement and sharing mechanism between the Agency and the respective federal agency.

Submission of Reports

A covered entity may use a third party, such as an incident response company, insurance provider, service provider, the Information Sharing and Analysis Organization, or law firm to submit its required report.  The reports shall be made in a form and manner as prescribed in the final rules.  These reporting requirements will not be effective until the final rules are effective.

Submitted reports must be treated as commercial, financial, and proprietary information of the covered entity when designated as such by the covered entity.  Such reports will not constitute a waiver of any applicable privilege or protection provided by law.  Furthermore, no cause of action can be maintained based on the submission of a report unless it is action taken by the federal government.

Noncompliance with Required Reporting

If an entity fails to submit its required report, the Agency may obtain information about the cyber incident or ransom payment by engaging the covered entity directly to request information about the incident or ransom payment.  If the Agency has not received a response from the initial information request within 72 hours, it may issue a subpoena.  If the entity fails to comply with the subpoena, the Agency may refer the matter to the Attorney General to bring a civil action in a district court to enforce the subpoena.  

The Agency must provide an annual report to Congress that details each time it issued an initial request for information, issued a subpoena and referred a matter to the AG.  This report shall be published on the Agency’s website.  Entities included in the report will be anonymous.

Outreach Campaign

The Agency will conduct an outreach and education campaign to inform likely covered entities of the reporting requirements.

Voluntary Reporting of Other Cyber Incidents

Entities may voluntarily report cyber incidents or ransom payments to the Agency that are not required under the rules, but which may enhance the situational awareness of cyber threats.  Covered entities may also voluntarily include information not required in mandatory reports.

Information Sharing with Federal Entities

Any federal agency must provide any report it receives to the Agency no later than 24 hours after receiving the report unless a shorter time period is agreed upon between DHS and the recipient federal agency.  This rule will take effect on the effective date of the final rules.

Information provided to the Agency may be disclosed, retained, or used by any federal agency or department, component, officer, employee, or agent of the federal government solely for: (1) a cybersecurity purpose; (2) a response to a cyber threat; (3) a response to a security vulnerability; (4) a response to a specific threat of death or serious bodily harm, or serious economic harm; (5) a response to a serious threat to a minor; and (6) prevention of an offense arising out of a cyber-incident.  The Agency is required to develop principles that will govern the timing and manner of how security vulnerability information is shared.

Upon receiving a covered cyber incident or ransom payment report, the Agency must immediately review the report to determine whether the cyber incident that is the subject of the report is connected to an ongoing cyber threat or security vulnerability and use such report to identify, develop, and disseminate actionable indicators and defensive measures to appropriate stakeholders.

Cyber Incident Reporting Council

DHS is required to lead an intergovernmental Cyber Incident Reporting Council (Council) to coordinate and harmonize federal incident reporting requirements in consultation with the Director of the Office of Management and Budget, the Attorney General, the National Cyber Director, Sector Risk Management Agencies, and other appropriate federal agencies.

Ransomware Vulnerability Warning Pilot Program

No later than one year after the enactment of the CAA, the Agency is required to establish a ransomware vulnerability warning pilot program to leverage existing authorities and technology to specifically develop processes and procedures for identifying information systems that contain security vulnerabilities associated with common ransomware attacks, and to notify the owners of their vulnerable systems.  This program is tasked with identifying the most common security vulnerabilities used in ransomware attacks and techniques on how to mitigate and contain the security vulnerabilities.  This pilot program will terminate four years after the enactment of the CAA.

Ransomware Threat Mitigation Activities

Within 180 days of the enactment of the CAA, the Director of the Agency will establish and chair the Joint Ransomware Task Force to coordinate an ongoing nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.  The Task Force will consist of participants from federal agencies as deemed appropriate by the National Cyber Director in consultation with DHS.  The Task Force will coordinate the following activities: (1) prioritizing intelligence-driven operations to disrupt specific ransomware actors; (2) consulting with relevant private sector state, local, Tribal, and territorial governments and international stakeholders to identify needs and establish mechanisms for providing input into the Task Force; (3) identifying a list of the highest threat ransomware entities updated on an ongoing basis; (4) disrupting ransomware criminal actors and their finances; (5) facilitating coordination and collaboration between relevant entities to improve federal actions against ransomware threats; (6) collecting, sharing, and analyzing ransomware trends to inform federal actions; (7) creating after-action reports that identify successes and failures to improve subsequent actions; and (8) any other activities deemed appropriate.

Congressional Reporting

No later than 30 days after the final rules are issued, the Agency is mandated to submit a report to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Homeland Security (collectively the Congressional Homeland Security Committees) that describes how the Agency engaged with stakeholders in developing the final rules.  Additionally, within one year of the enactment of the legislation, the Agency must submit a report to the Congressional Homeland Security Committees that describes how effectively the Center has used cyber incident data to inform and enable cybersecurity research within the academic and private sector.  No later than one year after the final rules are issued, the Agency must submit a report to the Congressional Homeland Security Committees on the effectiveness of this law and its enforcement mechanisms.