New Cross-Sector 72 Hour Data Breach Requirements for Critical Infrastructure

The Cybersecurity and Infrastructure Security Agency (CISA) has issued its Notice of Proposed Rulemaking (NPRM) to establish the first cross-sectoral federal cybersecurity incident and ransomware payment reporting system.

As we discussed in an alert in March 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law just over two years ago, and it requires “covered entities”—organizations in certain critical infrastructure sectors—to report substantial cybersecurity incidents to the Department of Homeland Security within 72 hours after the organization reasonably believes the cyber-incident has occurred. Covered entities will also be required to report ransom payments within 24 hours of making a payment in response to a ransomware attack.

These regulations would upset the existing sector-based breach reporting by creating an overlapping regime with reporting to a different regulator. Significantly, companies that provide reports to their primary regulators may be exempt from the CISA reporting, but only if the reporting is equivalent in content and timing and an agreement exists between that regulator and CISA. In particular, many healthcare and other entities accustomed to reporting breaches on 30- or 60-day clocks will find themselves required to make disclosures to the federal government on a 72-hour clock that is dictated by a statute – potentially altering the expectations of both regulators and regulated entities about the nature of information available in the midst of incident response.

As opposed to regimes designed for post-hoc assessments of security procedures, CIRCIA focuses on national and economic security, and CISA made clear that in designing its proposed regulations, it erred on the side of rapid over-collection and over-inclusivity, largely ignoring stakeholder warnings that the agency could be overloaded. CISA’s proposal prioritizes timely reports, a preference which it hopes to balance out with the availability of Supplemental Reports. While the agency did add an exemption for small businesses, the NPRM is still projected to encompass well over 300,000 entities – which is at least 50% more than every government contractor in the country.

Adding to the uncertainty is the vague manner in which “covered entities” are defined. The NPRM does not define “critical infrastructure” or the 16 “critical infrastructure sectors.” Companies, even those not historically considered critical infrastructure, should analyze the proposed rule to determine if they would be swept into the proposed reporting requirements. Given the current lack of definitional clarity relating to critical infrastructure sectors, companies connected even indirectly with one or more of those sectors may nevertheless be covered by the rule. Indeed, CISA explicitly notes in the preamble that “at least some entities that do not own or operate systems or assets that meet the definition of critical infrastructure . . . but are active participants in critical infrastructure sectors and communities” would be considered critical infrastructure within the meaning of CIRCIA.

For companies that are covered entities, the CIRCIA 72-hour proposal would be a significant change from the 30-60 days in most state data breach notification reporting requirements. Moreover, the reporting here is not tied to any type of personal information, includes operational events, and necessitates ransom payment notification. These changes will ripple across the economy as covered entities demand that vendors commit to notification on equally tight time frames, leading to a series of reports about ongoing investigations that may prove to be inaccurate upon full investigation.

The NPRM was formally published in the Federal Register on April 4 and the public has until June 3 to submit written comments. CISA is required to publish a final rule by October 2025.

We further summarize critical aspects of the NPRM below.

Covered Entities

The NPRM applies to all entities in a critical infrastructure sector that either exceed the small business size standard or meet specific enumerated criteria. As a result, the applicability of the NPRM is broad and may include entities that do not traditionally think of themselves as critical infrastructure.

Critical Infrastructure Sector

A President Obama era document, Presidential Policy Directive 21, identifies a list of sixteen critical infrastructure sectors that comprise the critical infrastructure sectors in the NPRM. The list includes the following sectors: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials, and waste, transportation systems, and water and wastewater systems.

The NPRM considers that “the overwhelming majority of entities, though not all, are considered part of one or more critical infrastructure,” and it directs entities to CISA’s sector-specific plans to determine which, if any, sector includes a given entity.

Small Business Size Standard

The NPRM limits covered entities to those within a critical infrastructure sector that exceed the U.S. Small Business Administration’s (SBA) small business size standard based on either number of employees or annual revenue, depending on the industry, specifically outlined in the North American Industry Classification System Code in the SBA Size Standards. See 13 CFR part 121. The SBA reviews and updates the Size Standards every five years via rulemaking. The current SBA Size Standards are contained in the SBA’s Table of Small Business Size Standards, effective January 1, 2022.

Sector Based Criteria

The NPRM further articulates its meaning by proposing to include entities that meet a set of specific sector-based criteria – regardless of size and unrelated to an entity's assessment of the critical infrastructure sector. The criteria include a broad swath of IT companies:

“Any entity that knowingly provides or supports information technology hardware, software, systems, or services to the Federal government, performs functions related to domain name operations, is an original equipment manufacturer, vendor, or integrator of operational technology hardware or software components, or has developed and continues to sell, license, or maintain any software with certain characteristics.”

Beyond this IT-sector requirement, the rules include:

1. Any entity in a critical infrastructure sector that owns or operates a covered chemical facility subject to the Chemical Facility Anti-Terrorism Standards.
2. Any entity that provides communications services by wire or radio communications, as defined in 47 U.S.C. 153(40), 153(59), to the public, business, or government including radio and television broadcasters, cable television, satellite operators, telecommunications carriers, submarine cable licensees, fixed and mobile wireless service providers, VoIP providers, and internet service providers.
3. Any entity engaged in primary metal manufacturing, machinery manufacturing; electrical equipment, appliance, and component manufacturing; or transportation equipment manufacturing.
4. Any entity that is a contractor or subcontractor required to report cyber incidents to DOD pursuant to the definitions and requirements of the DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting clause located at 48 CFR 252.204-7012.
5. Any entity that provides one or more of five listed emergency services or functions to a population equal to or greater than 50,000 individuals. These services include law enforcement, fire and rescue services, emergency medical services, emergency management, and public works that contribute to public health and safety.
6. Any entity that is required to report cybersecurity incidents under NERC’s CIP Reliability Standards or required to file an Electric Emergency Incident and Disturbance Report OE-417 form, or any successor form, to DOE.
7. Any entity that owns or operates financial services sector infrastructure. According to the NPRM this section intends to capture financial services sector entities that are required to report cybersecurity incidents to their respective primary Federal regulator, entities for whom the primary Federal regulator has indicated an intention to require cybersecurity incident reporting, and entities encouraged or expected to report cybersecurity incidents to their primary Federal regulator pursuant to an Advisory Bulletin. The NPRM concedes that this will lead to duplicative reporting.
8. Any State, local, Tribal, or territorial government entity for a jurisdiction with a population equal to or greater than 50,000 individuals.
9. Any local educational agency, educational service agency, or state educational agency with a student population equal to or greater than 1,000 students and any institute of higher education that receives funding under Title IV of the Higher Education Act.
10. Any entity that manufactures, sells, or provides managed services for information and communications technology specifically used to support election processes or report and display results.
11. Any entity that owns or operates a hospital with 100 or more beds or a critical access hospital, manufactures certain drugs, or manufactures certain medical devices.
12. Any entity that owns or operates a commercial nuclear power reactor or fuel cycle facility.
13. Any entity that qualifies as a freight railroad carrier, a public transportation agency or passenger railroad carrier, an over-the-road bus operator, a pipeline facility or system owner or operator, an aircraft operator, an indirect air carrier, an airport operator, or a certified cargo screening facility.
14. Any entity that owns or operates a vessel, facility, or outer continental shelf facility.
15. Any entity that owns or operates a qualifying community water system or publicly owned treatment works.

Reporting Requirements

Covered Cyber Incident Report

The proposed rule here is stated simply enough – a covered entity must submit a Covered Cyber Incident Report to CISA no later than 72 hours after the covered entity reasonably believes the covered cyber incident has occurred.

The NRPM defines “covered cyber incident” as a substantial cyber incident experienced by a covered entity. While the NPRM does not specifically define “substantial cyber incident” it proposes that a cyber incident qualifies as substantial if, regardless of cause, the incident results in:

(a) a substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;

(b) a serious impact on the safety and resiliency of a covered entity’s operational systems and processes; or

(c) a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services.

A “substantial cyber incident” also includes a cyber incident that results in unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.

The definition does not include lawful government activity, a cyber incident perpetrated in good faith by an entity in response to a specific request, or a threat of disruption. Importantly, for assessing whether the impact threshold is met, the NPRM advises entities that: only one of the above four qualifications must be met, the incident must result in one of the above impacts, the tactics used by a threat actor are irrelevant, and the impacts are not limited to specific types of systems, networks, or technologies.

The timing aspect of the requirement is critical. The key is the definition of “reasonably believes.” The NPRM, however, does not propose a specific definition of “reasonably believe” or prescribe a certain point at which a “reasonable belief” will always be realized. Instead, the NPRM provides some general guidance. “Reasonable belief” is not expected to occur immediately upon occurrence of the incident, although it could in some circumstances such as if an entity receives a ransom demand simultaneously with discovery that it has been locked out of its system. The guidance lays out how “reasonable belief” may occur after some short (hours not days) preliminary analysis that would occur at the subject matter expert level. Further, such preliminary analysis is expected to be conducted by a covered entity as soon as reasonably practicable after becoming aware of an incident.

Ransom Payment Report

The basic ransom rule is also direct – a covered entity must submit a Ransom Payment Report to CISA no later than 24 hours after the ransom payment has been disbursed.

The report is required even if the ransomware attack that led to the ransom payment is a covered cyber incident. The NPRM defines “ransom payment” as the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack and defines “ransomware attack” as an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or that actually or imminently jeopardizes, without lawful authority, an information system. The attack must also involve the use or the threat of use of unauthorized or malicious code or another digital mechanism to disrupt or compromise an information system to extort a ransom payment. The definition does not include attacks where the demand for ransom payment is not genuine or made in good faith.

If a covered entity experiences a covered cyber incident and makes a ransom payment, the covered entity can submit a Joint Covered Cyber Incident and Ransom Payment Report.

Supplemental Reports

Supplemental reports about a previously reported covered cyber incident must be promptly submitted by the covered entity in certain circumstances including if substantial new or different information becomes available or the covered entity makes a ransom payment related to a previously reported cyber incident. A covered entity can also submit an optional report that a covered incident has concluded.

The NPRM provides further guidance on the supplemental reports. The NPRM interprets “promptly” to mean without delay or as soon as possible. The NPRM interprets “substantial new or different information” as meaning information that is responsive to a required data field in a Covered Cyber Incident Report that the covered entity was unable to substantively answer at the time of submission of that report or any Supplemental Report related to that incident or shows that a previously submitted Covered Cyber Incident Report or Supplemental Report is materially incorrect or incomplete in some manner. Additionally, for the optional report, the NPRM states that after completing an investigation of the incident, gathering all necessary information, and documenting all relevant aspects of the incident as well as completing steps required to address the root cause of the incident altogether are good indicia that the incident has concluded and been fully mitigated and resolved.

Effect on Existing Reporting Regime

CIRCIA was enacted against a backdrop of multiple reporting regimes across sectors including for financial services, healthcare, communications, and several other sectors. CIRCIA itself, however, contains relatively few exceptions for the required reporting under the NPRM.

The main exception allows a covered entity to forgo providing an otherwise required CIRCIA Report (A Covered Cyber Incident Report, Ransom Payment Report, Joint Covered Cyber Incident and Ransom Payment Report, or Supplemental Report) to CISA if it is legally required to report substantially similar information within a substantially similar timeframe to another Federal agency with whom CISA has an information sharing agreement and mechanism (“CIRCIA Agreement”). Whether CISA will be able to reach a CIRCIA Agreement with the relevant federal agencies remains to be seen, as the issue of control of information over data breaches seems vital both to CISA and to the sector-specific regulators.

Under CIRCIA, CISA may enter into a CIRCIA Agreement with another Federal Agency where CISA has determined that:

1. A law, regulation, or contract requires reporting by the covered entity to the other Federal Agency;
2. The information that must be reported to the other Federal Agency is substantially similar information to the information in CIRCIA Report;
3. The timeframe for reporting to the to the other Federal Agency is substantially similar to those for CIRCIA Reports; and
4. CISA and the other Federal Agency have an information sharing mechanism in place.

For substantially similar determinations, CISA will consider whether the specific fields of information reported by the covered entity to another Federal agency are functionally equivalent to the fields of information required to be reported in CIRCIA Reports and whether the timeframe enables the report to be shared by the Federal agency with CISA by the applicable reporting deadline specified for each type of CIRCIA Report.

This will pose complicated questions for healthcare entities who are accustomed to reporting on a 60-day calendar as well as other entities that are more accustomed to 30, 45 or 60-day clocks under various regimes. Even assuming these negotiations are ongoing, it remains to be seen whether CISA will be able to accelerate government-wide reporting within the required timeframes, particularly in light of the presidential election and associated transitions.

It is clear that CISA is required to maintain a catalog of all CIRCIA Agreements on a public-facing website and must make CIRCIA Agreements publicly available.

The only other exceptions are entities involved in the domain name system and federal agencies required to report incidents to CISA under the Federal Information Security Modernization Act.

Report Content

The reports must be submitted through the web based CIRCIA Incident Reporting Form available on CISA’s website. Every form must include general information about the entity as well as contact information and the identity of the individual submitting the report. Every report must also identify the type of report being submitted.

For Covered Cyber Incident Reports, the entity needs to provide an in-depth and technical description of the incident, the timeline of the incident, and the impact of the incident. The entity must also identify the categories of any information reasonably believed to have been accessed or acquired, a description of any vulnerability exploited, the entity’s security defenses in place at the time of the incident, and any mitigation or response activities undertaken by the entity. Overall, the reporting requirements are fairly comprehensive.

For Ransom Payment Reports, the information required is similar to that required for Covered Cyber Incident Reports with the addition of specifics of the ransomware used and details surrounding the ransomware demand, payment instructions, payment, and outcome from the payment. For Supplemental Reports, the entity must explain the need for the filing of a Supplemental Report and any additional information that is needed to fully comply with a previous Covered Cyber Incident Report.

Third Party Reporting

CIRCIA authorizes covered entities to use third parties, such as an incident response company, insurance, a service provider, or a law firm, to submit reports on their behalf. In response to comments, CISA clarified in the NPRM that this list of potential third-party submitters is illustrative but not exhaustive and has proposed that rather than limit who may perform third party reporting functions, covered entities have the latitude to use any organization to submit reports, including Supplemental Reports, on their behalf, while recognizing that the compliance obligations remain with the covered entities. For example, when a single cybersecurity incident impacts multiple unaffiliated entities, such as a cloud service provider and its customers, each covered entity customer still falls under the reporting obligation. However, the covered entity customers could authorize the impacted provider to, itself or through a third-party, report on their behalf under § 226.12(a). For affiliated entities, they may choose to issue a single report covering all impacted entities or multiple reports.

Data Preservation

CISA has proposed requiring retention and preservation for no fewer than two years from the submission of the last required CIRCIA Report or from the disbursement of the ransom payment. 

The retention would extent to data and records relating to communications between the covered entity and the threat actor; indicators of compromise; relevant log entries, memory captures, and forensic images; network information or traffic related to the cyber incident; the attack vector; system information that may help identify vulnerabilities that were exploited to perpetrate the incident; information on any exfiltrated data; data and records related to any ransom payment made; and any forensic or other reports about the cyber incident produced or procured by the covered entity starting from the date upon which the covered entity establishes reasonable belief that a covered incident has occurred. This retention requirement would be equally applicable to entities that experience a covered incident or make a ransom payment but are exempt from reporting requirements in addition to non-exempted entities.

Enforcement

Commenters heavily requested that CISA keep in mind covered entities are victims of cyberattacks and focus on collaboration over enforcement or punishment. Perhaps in a show of good faith that the purpose of CISA’s reporting requirements is to protect national interests, and not to punish victims of attacks, CISA has not proposed requiring covered entities to report to whom else – individuals, government entities, or other stakeholders – entities have reported a covered incident.

Moreover, the NPRM notes that federal, state, and local governments are prohibited from using information obtained solely through a CIRCIA Report submitted pursuant to the CIRCIA regulation or in a response to a request for information (RFI) to regulate, including through an enforcement proceeding, the activities of a covered entity and includes other litigation liability protections and prohibitions on use in regulatory actions in § 226.18. (e.g. causes of action that are solely based on the submission of a CIRCIA Report or a response provided to an RFI under § 226.14(c) may not be maintained).

Notwithstanding those protections, information submitted in response to a subpoena issued pursuant to § 226.14(d) may be provided to the Attorney General or the head of a Federal regulatory agency as grounds for criminal prosecution or regulatory enforcement action. CIRCIA provides CISA with a variety of enforcement tools to address both (1) suspected failure to report a covered incident and (2) suspect deficiencies in an incident report; CISA may first issue an RFI, then, absent sufficient response, a subpoena, and, finally, may refer noncompliance with a subpoena to the Attorney General to bring a civil action to enforce it and/or pursue contempt of court.

Restrictions on Use of Information and Protecting Privacy

Keeping with existing FOIA case law, information that is provided voluntarily will have more protection than information exacted under compulsion. Noting that CIRCIA reports are statutorily exempt from disclosure under the Freedom Of Information Act, CISA’s proposal would also allow covered entities to designate reports and responses to RFIs, but not subpoenas, as commercial, financial, and proprietary information and recognizes that covered entities do not waive applicable privileges and legal protections (e.g. trade secret protection, attorney-client and work-product privileges) through virtue of submitting required reports or responses to RFIs. Notably, the treatment requirements and restrictions imposed by § 226.18 and privacy and procedures for protecting privacy and civil liberties in § 226.19 apply only to information contained in CIRCIA reports and in responses to RFIs, but do not apply to information responsive to subpoenas issued under § 226.14(d).

Conclusion

The proposed rules will be significant for any covered entity, but especially those that have yet to develop mature cybersecurity and incident response controls and procedures. Covered businesses should look carefully at their internal controls to assess whether they would be able to comply with the proposed rule.

Ropes & Gray will continue to monitor and provide additional updates on the implementation of CIRCIA.