The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is an important legislation that outlines how critical infrastructure sectors should deal with cybersecurity threats. CIRCIA strengthens cyber defenses by establishing comprehensive reporting requirements for cyber incidents and ransomware payments.
This article explores the key aspects of CIRCIA, including key components and specific requirements for critical infrastructure organizations, and a 5-step process organizations can use to begin or maintain compliance with CIRCIA.
Maintain compliance with cybersecurity regulations using UpGuard >
What is the Cyber Incident Reporting for Critical Infrastructure Act?
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is a U.S. law designed to enhance cybersecurity in crucial industries by making it mandatory to report covered cyber incidents promptly. CIRCIA was signed into law by President Biden and Congress in 2022 (6 U.S.C. 681-681g) alongside the Consolidated Appropriations Act. CIRCIA requires organizations in critical infrastructure sectors, such as healthcare, energy, transportation, and finance, to report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours.
CIRCIA tasks CISA with creating specific guidelines for what qualifies as reportable incidents and ensures that sensitive information provided in these reports is safeguarded. CIRCA aims to strengthen the resilience and security of the nation's vital services by facilitating a unified national approach to cyber threats.
Some of CISA’s regulatory authorities under CIRCIA require CISA to complete mandatory rulemaking activities before the reporting requirements go into effect. CISA developed a Notice of Proposed Rulemaking (NPRM) alongside the Department of Justice in the Federal Register, providing the opportunity for public comment before establishing a final rule.
Key Components of CIRCIA
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) strengthens the cybersecurity infrastructure of the United States by ensuring timely reporting and response to cyber threats. Key elements of CIRCIA include:
- Mandatory reporting requirements: Entities in critical infrastructure sectors must report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransom payment reports within 24 hours of a ransomware attack.
- Scope and applicability: The act defines which organizations are considered part of the critical infrastructure, including sectors vital to national security, economic stability, or public safety, such as energy, healthcare, transportation, and financial services.
- Rulemaking authority: CISA is responsible for developing detailed rules and regulations that specify which incidents organizations must report, the reporting procedures, and the necessary information for such reports.
- Protection of information: CIRCIA incorporates measures to protect the confidentiality of information shared by entities during the reporting process, safeguarding any sensitive data included.
- Incident response and coordination: CISA utilizes collected data to facilitate coordinated responses to cyber threats, enhancing the ability of federal agencies to support sectors during security incidents and improve national resilience.
- Public-private collaboration: CIRCIA promotes government and private sector cooperation, encouraging information sharing and collaborative efforts to mitigate cybersecurity risks.
These components collectively aim to create a more robust mechanism for addressing and mitigating cyber threats against the United States federal government and critical national infrastructures.
Request for Information (RFI) on CIRCIA
As a component of the rulemaking process, an active RFI is maintained by CIRCIA to gather public feedback as CISA progresses in formulating and enacting the regulations prescribed by the new statute. The RFI mandates CISA to provide precise and definitive explanations for:
- The term "covered entity"
- The aggregate number of entities, categorized by industry or sector
- The definition of "covered cyber incident"
- The comparison of "covered cyber incidents" definitions against those in other federal regulations
- The description of "substantial cyber incidents"
- The definitions of "ransom payment" and "ransomware attack"
- The estimated annual number of ransom payments by covered entities
- The interpretation of "supply chain compromise"
- Any additional terms needing clarification within CIRCIA
- The concept of "reasonable belief," which activates the 72-hour reporting timeline
- The conditions under which a ransom payment is deemed complete, initiating the 24-hour reporting period
- Procedures for covered entities to file reports on cyber incidents and ransom payments
- Guidelines for third parties to submit their supplementary reports
- The criteria for identifying a multi-stakeholder organization
Additionally, the Director of CISA is mandated to issue a Notice of Proposed Rulemaking (NPRM) within 24 months from the enactment date (by March 2024). An NPRM is an official declaration that details the agency’s intentions to solve a specific issue or achieve a goal.
The Director must also publish the Final Rule within 18 months following the NPRM (by September 2025). This Final Rule marks the culmination of the rulemaking process, moving the proposed regulations into the final phase of publication in the Federal Register. This publication also sets the activation date for CIRCIA.
Who must comply with CIRCIA?
CIRCIA applies to entities in the critical infrastructure sectors in the United States. This includes organizations operating within industries that are essential to national security, economic stability, public health, or safety. The law gives CISA the authority to specify the exact types of covered entities in these sectors, considering factors like their size (i.e., exceeding business size defined by the U.S. Small Business Administration’s regulations), importance, and the potential impact of a cybersecurity breach.
The Department of Homeland Security (DHS) and Presidential Policy Directive 21 has identified 16 critical infrastructure sectors that are likely subject to CIRCIA's requirements, which include:
- Chemical Sector
- Commercial Facilities Sector
- Communications Sector
- Critical Manufacturing Sector
- Dams Sector
- Defense Industrial Base Sector
- Emergency Services Sector
- Energy Sector
- Financial Services Sector
- Food and Agriculture Sector
- Government Facilities Sector
- Healthcare and Public Health Sector
- Information Technology Sector
- Nuclear Reactors, Materials, and Waste Sector
- Transportation Systems Sector
- Water and Wastewater Systems Sector
Entities in these sectors must follow the reporting guidelines outlined in CIRCIA, including sector-based criteria and reporting significant covered incidents to CISA within a substantially similar timeframe. CIRCIA does not apply to State, Local, Tribal, or Territorial Government Entities.
Penalties for non-compliance
CISA utilizes several enforcement mechanisms to ensure entities comply with CIRCIA. Before deciding on enforcement actions, CISA considers additional information, such as the complexity of identifying a cyber incident, the entity's prior interactions with CISA, and their understanding of reporting procedures. With this in mind, CISA typically issues penalties for non-compliance on a case-by-case basis.
Suppose an entity does not comply with CIRICA, such as failing to report a substantial cyber incident or ransom payment. In that case, CISA typically issues a Request for Information (RFI) or subpoena to obtain the necessary information. Should entities not comply with these requests, CISA can refer the matter to the Attorney General to initiate civil actions via law enforcement, including the pursuit of contempt of court. Additional enforcement options include supplemental reports, acquisition penalties, suspension, and debarment.
It's important to note that making false statements in any CIRCIA report, RFI response, or subpoena reply can result in severe penalties, such as fines and imprisonment for up to eight years, especially in cases related to terrorism or certain sexual offenses. False statements in these contexts are not protected under CIRCIA like other submissions, highlighting the strict consequences of non-compliance and spreading misinformation.
Five steps to comply with CIRCIA
To comply with the CIRCIA, companies operating within critical infrastructure sectors should implement a systematic approach.
By adhering to these steps, companies can meet CIRCIA requirements and bolster their defenses against cyber threats, safeguarding their assets and the general public interest.
1. Understand applicability
Identify if your organization falls under a critical infrastructure sector defined by the DHS. This step is essential for determining CIRCIA reporting requirements and applicable obligations for reporting cyber incidents and ransomware payments. Understanding your classification ensures legal compliance and helps prioritize cybersecurity efforts and resources.
Tailoring cybersecurity strategies to meet regulatory requirements is essential for protecting vital infrastructure and enhancing overall resilience against cyber threats. Misclassifying your sector can lead to non-compliance, legal penalties, and increased vulnerability to cyber attacks, making this step indispensable in your cybersecurity and compliance strategy.
2. Establish reporting protocols
Develop robust protocols for swiftly identifying and reporting cybersecurity incidents and ransomware payments. Integrate these protocols into your IT and security operations for seamless communication and coordination. As CIRCIA requires, set internal deadlines for reporting incidents to CISA within 72 hours and ransom payments within 24 hours.
Update these cyber incident reporting requirements regularly to address new threats and regulations and conduct training sessions to ensure staff are familiar with their roles. These measures will help your organization meet reporting requirements, minimize the impact of cyber incidents, and enhance overall cybersecurity resilience.
3. Designate a compliance team
Assign a dedicated in-house compliance team responsible for overseeing CIRCIA compliance. This team should consist of skilled professionals with expertise in cybersecurity, legal compliance, and risk management. This team should monitor regulatory updates to stay ahead of any changes or new requirements introduced by CISA, ensuring that your organization remains compliant at all times. The compliance team can also manage all reporting obligations, from the initial identification of a cyber incident or ransomware payment to the timely submission of detailed reports to CISA within the mandated 72-hour and 24-hour timeframes.
Additionally, this team should serve as the primary point of contact with CISA and have the authority to enforce compliance across the organization, ensuring that all departments adhere to the established protocols and procedures. This centralized and authoritative approach helps harmonize compliance partnerships, reduce non-compliance risk, and enhance the organization's overall security posture.
4. Establish incident response and recovery plans
Prepare detailed incident response and recovery plans that include immediate actions to contain incidents, data preservation mechanisms, and business continuity strategies. These plans should specify the steps to isolate affected information systems, prevent further damage, and preserve critical data for investigation and recovery. Additionally, ensure that your plans outline clear strategies for maintaining business operations during disruptions, including backup procedures and alternative workflows for supply chain compromises.
Communication protocols with CISA and other relevant stakeholders should be clearly defined, detailing how and when to report incidents, provide updates, and coordinate response efforts. By having comprehensive and well-documented plans, your organization can effectively manage and recover from cyber incidents, minimizing their impact and ensuring compliance with CIRCIA requirements.
5. Update compliance strategies over time
Stay updated on any changes to CIRCIA regulations and adjust your compliance and cybersecurity strategies accordingly. Regularly updating your policies and practices is crucial to keeping up with evolving regulatory requirements and the constantly changing cyber threat landscape. This proactive approach will help ensure that your organization remains compliant and prepared to tackle new challenges as they come up. By consistently monitoring regulatory developments and adjusting your strategies, you can maintain strong cybersecurity defenses and effectively meet CIRCIA's standards.
How UpGuard helps organizations stay CIRCIA compliant
Achieving CIRCIA compliance can be daunting, but UpGuard’s comprehensive cybersecurity management tools make it simple to monitor your cybersecurity posture and your vendors—all in one centralized dashboard.
UpGuard BreachSight illuminates your organization’s external attack surface, allowing you to discover and remediate risks ten times faster with continuous monitoring capabilities. Additional features include:
- Real-time scanning: Don’t accept an incomplete or lagging picture of your attack surface. Protect yours with real-time scans of your domains, IP, and external assets.
- Instant alerts: Be alerted the moment a vulnerability is detected. Receive notifications where your team works, whether Jira, Service Now, or another platform like Slack.
- Detect stolen credentials: Know when your data or credentials are circulating online or at risk of unauthorized access. UpGuard combines proprietary sources and dark web scanning to spot leaked data faster.
UpGuard Vendor Risk provides complete visibility of your third-party risk, helping you identify vendor risks sooner and complete risk assessments twice as fast. Additional Vendor Risk features include:
- Constant vendor monitoring: Get alerted whenever the security posture of a third or fourth party changes. Continuous monitoring ensures you’re always the first to know.
- 360° risk assessments: See your vendor risks from all angles. Automated scanning, evidence analysis, and insights from industry questionnaires (NIST, GDPR, ISO 27001) give you the complete picture of your service providers.
- End-to-end workflows:Forget spreadsheets and stale data. Transform your processes with a single platform for identifying and managing risk mitigation.