US critical infrastructure companies will be obliged to report cyber incidents within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA) under “game-changing” legislation signed into law by President Joe Biden this week.
Covered entities will also be obliged to report any ransomware payments to CISA within 24 hours under the Cyber Incident Reporting for Critical Infrastructure Act of 2022. This legislation forms part of the Consolidated Appropriations Act 2022, a $1.5tn omnibus spending package.
The legislation was drafted amid surging ransomware attacks and other cyber-threats facing critical infrastructure organizations, exacerbated by the current Russia-Ukraine conflict.
In addition to deterring organizations from making ransomware payments, the measures are designed to provide more intelligence into cyber-attacks and threat actor plans. This, in turn, will assist information sharing between federal agencies like the Department of Justice (DoJ) and the FBI, helping ensure there is a standardized approach to dealing with critical infrastructure cyber-attacks.
The new reporting requirements will apply to organizations that fall within the 16 US critical infrastructure sectors, as defined by CISA. These firms must report “substantial” cyber incidents, such as those that cause danger to the safety and resiliency of operational systems or processes or disrupts business or industrial operations.
The Act requires these reports to contain various details about such incidents. This includes a description of relevant vulnerabilities, efforts taken to mitigate the attack, categories of data believed to have been accessed or acquired by an authorized person and any actor reasonably believed to be responsible for the incident. Organizations would also be required to supplement their information as “substantial new or different information becomes available.”
Covered companies that fail to report cybersecurity incidents or ransomware payments may be issued with a subpoena by CISA.
The requirements have not come into effect yet, with the CISA director given two years to publish a notice of proposed rulemaking to implement the Act and 18 months after that to issue the final rule.
Commenting on the new law, CISA director Jen Easterly said: “As the nation’s cyber defense agency, CISA applauds the passage of cyber incident reporting legislation. Thanks to the support of our many partners in Congress, CISA will have the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyber-attacks.
“CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure. This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims. CISA is committed to working collaboratively and transparently with our industry and federal government partners in order to enhance the security and resilience of our nation’s networks and critical infrastructure.
“Put plainly, this legislation is a game-changer. Today marks a critical step forward in the collective cybersecurity of our nation.”
The Act is the latest federal cybersecurity initiative issued by the Biden administration, which took office in early 2021. Others include an executive order designed to improve supply chain security, incident detection and response and overall resilience to threats, and the creation of a ransomware task force by the DoJ.