The federal government has stepped up its focus on cybersecurity across critical infrastructure, spending a significant amount of time creating guidance for businesses on how to build more protection from cyber threats. As part of this effort, President Joe Biden recently signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which sets new reporting requirements for “covered” entities operating in sectors affecting critical infrastructure.
The Act centralizes the reporting process and involves the federal government so they can better monitor emerging threats. It is meant to make cyber events more transparent, which is essential in fighting cyberattacks and allows the business community to benefit from lessons learned by others.
As a managed services provider (MSP), ZAG is dedicated to partnering with our clients to make sure they have the information they need. We also embrace the idea that we’re “stronger together” and that shared security-related experiences and lessons helps elevate the security of all of us.
In this article, we want to offer a closer look at what the law means for your business.
What is the Cyber Incident Reporting for Critical Infrastructure Act of 2022?
On March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022. It set new reporting requirements for “covered” entities operating in sectors affecting critical infrastructure.
SEC. 2220A. CYBER INCIDENT REVIEW OFFICE, (d)(1)(4)(B)(iii) defines a covered incident as:
“Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by a compromise of, a cloud service provider, MSP, other third-party data hosting provider, or supply chain attack.”
- Why it was created:
- The law allows the federal government to collect accurate data on the frequency and structure of these attacks
- It also provides some legal cover for companies when reporting cyber incidents. The law moves reporting requirements defined in global IT standards like ISO 27001, and regulations like NIST-800-171 to law.
While finalization of the related regulations will take up to 3.5 years, reporting thresholds, liability protections, and legal privilege safeguards will not be superseded by CISA regulations.
- Here’s a little more about what it says:
- Covered entities that reasonably believe that they have experienced a “covered cyber incident” file a report with the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours
- If the covered entity makes a ransomware payment, they must report the payment to CISA within 24 hours
- Covered entities must provide supplemental information and preserve data related to the incident
- Prohibits (with limited exceptions) a federal, state, local, or tribal government or agency from using information derived solely from a covered cyber incident or ransom payment report submitted to CISA to undertake a regulatory or other enforcement action against the covered entity.
Who is Affected?
Companies deemed to be “critical infrastructure,” which includes the agriculture and food sector. While this is a broad definition, the Cybersecurity & Infrastructure Security Agency’s (CISA) current definition of entities considered to be critical infrastructure is as follows:
- Agriculture and Food Sector
- Chemical Sector
- Commercial Facilities Sector
- Communications Sector
- Critical Manufacturing Sector
- Dams Sector
- Defense Industrial Base Sector
- Emergency Services Sector
- Energy Sector
- Financial Services Sector
- Government Facilities Sector
- Healthcare and Public Health Sector
- Information Technology Sector
- Nuclear Reactors, Materials, and Waste Sector
- Sector-Specific Agencies
- Transportation Systems Sector
- Water and Wastewater Systems Sector
Reporting requirements are basically the same as the Computer-Security Incident Notification Final Rule (FIL-74-2021) from November 2021, with notification to CISA instead of the FDIC. The requirements apply to any occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits. In summary:
- Organizations will be required to notify their CISA Regional Office as soon as possible and no later than 72 hours after the organization determines that a computer-security incident that rises to the level of a notification incident has occurred.
- Organizations will be required to notify their CISA Regional Office as soon as possible and no later than 24 hours after the organization makes a ransomware payment.
- CISA Regional Offices
- Region 1 (Maine, New Hampshire, Vermont, Massachusetts, Rhode Island, and Connecticut): CISARegion1
- Region 2 (New York, New Jersey, Puerto Rico, and Virgin Islands): CISARegion2
- Region 3 (Pennsylvania, West Virginia, Maryland, Delaware, Virginia, and the District of Columbia): CISARegion3
- Region 4 (Kentucky, Tennessee, North Carolina, South Carolina, Mississippi, Alabama, Georgia, and Florida): CISARegion4
- Region 5 (Ohio, Michigan, Indiana, Illinois, Wisconsin, and Minnesota): CISARegion5
- Region 6 (Louisiana, Arkansas, Oklahoma, Texas, and New Mexico): CISARegion6
- Region 7 (Missouri, Kansas, Nebraska, and Iowa): CISARegion7
- Region 8 (Colorado, Utah, Wyoming, Montana, North Dakota, and South Dakota): CISARegion8
- Region 9 (Arizona, Nevada, California, Guam, American Samoa, Commonwealth of Northern Mariana Islands (CNMI) and Hawaii): CISARegion9
- Region 10 (Washington, Oregon, Idaho, and Alaska): CISARegion10
A notification incident is defined as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, an organization’s: (i) ability to carry out operations, activities, or processes, or deliver products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States. For example, a notification incident may include a major computer-system failure; a cyber-related interruption, such as a distributed denial of service or ransomware attack; or another type of significant operational interruption.
The rule also requires suppliers and service providers to notify at least one designated point of contact at each affected customer organization as soon as possible when the suppliers and services provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to disrupt or degrade, covered services provided to the organization for four or more hours. If the organization has not previously provided a designated point of contact, the notification must be made to the organization’s chief executive officer and chief information officer or to two individuals of comparable responsibilities.
What it Means for Your Business
Processes and procedures for detection and incident management are essential, not only for “covered” entities, but for business continuity in all organizations. It’s the law for covered entities and good business practice for everyone else.
How ZAG Helps
ZAG offers managed services that include detection, monitoring, and incident management that can help you identify potential threats, maintain your technology systems, and respond when an incident occurs. We can also help answer questions you might have about the law and how it affects your organization.