Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)


CIRCIA - Critical Incident Reporting for Critical Infrastructure Act of 2022 - Learn More

All organizations are encouraged to share information about unusual cyber activity and/or cyber incidents 24/7 via report@cisa.gov or (888) 282-0870.

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.  These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

Rulemaking Process

These new authorities are regulatory in nature and require CISA to complete mandatory rulemaking activities before the reporting requirements go into effect. CIRCIA requires CISA to develop and publish a Notice of Proposed Rulemaking (NPRM), which will be open for public comment, and a Final Rule. CIRCIA also mandates that CISA consult with various entities throughout the rulemaking process, including Sector Risk Management Agencies, the Department of Justice, other appropriate Federal agencies, and a soon-to-be formed, DHS-chaired Cyber Incident Reporting Council. This work is already underway.

CISA is committed to receiving inputs into the NPRM from other stakeholders as well, such as critical infrastructure owners and operators and other members of the potentially regulated community, while maintaining the rulemaking schedule required by statute.  

Request for Information

CISA has released a Request for Information (RFI) through which we are soliciting public input for 60 days, starting September 12, 2022, on potential aspects of the proposed regulation prior to publication of the NPRM.

This public input from our critical infrastructure partners will help us understand how we can implement the new cyber incident reporting legislation in the most effective way possible to protect the nation’s critical infrastructure.

The RFI has been published in the Federal Register site, along with a notice of public listening sessions

CISA is particularly interested in input on definitions for and interpretations of the terminology to be used in the proposed regulations, as well as the form, manner, content, and procedures for submission of reports required under CIRCIA.  

In addition, CISA is also interested in information regarding other incident reporting requirements and other policies and procedures, such as enforcement procedures and information protection policies, that will be required for implementation of the regulations.

There are two ways to provide input on the rulemaking process:

  • Provide written comments in response to the Request for Information by November 14, 2022
  • Participate in one of the listening sessions that CISA will be hosting around the country

Schedule of Public Listening Sessions

CISA will be hosting in person listening sessions around the country. Dates, times and locations for each of the listening schedules is provided below.

Registration is encouraged for the public listening sessions and priority access will be given to individuals who register.  To register for a listening session, please click on the link “Register Here” below and follow the instructions provided.  Registration for each session will be accepted until 5:00 p.m. (Eastern Daylight Time) two days before the listening session.

UPDATE:  The September 28  session scheduled for Atlanta, GA, has been cancelled due to hurricane preparations at the venue. Participants are encouraged to submit written input via the Request for Information.  

REGISTER HERE

 

City

Date

Time

Location

Salt Lake City, Utah

September 21, 2022

11 a.m. - 3 p.m.

Taylorsville State Office Building, 4315 S 2700 W, Taylorsville, UT 84129

* CANCELLED* Atlanta, Georgia

September 28, 2022

11 a.m. - 3 p.m.

Georgia Emergency Management Administration Building, 935 United Ave SE, Atlanta GA, 30316

Chicago, Illinois

October 5, 2022

11 a.m. - 3 p.m.

Federal Building, USCIS Auditorium, 536 S. Clark Street, Chicago, IL 60605

Dallas/Fort Worth, Texas

October 5, 2022

11 a.m. - 3 p.m.

Fritz G. Lanham Federal Building, 819 Taylor Street, Fort Worth, TX 76102

New York, New York

October 12, 2022

11 a.m. - 3 p.m.

Alexander Hamilton U.S. Custom House Smithsonian Museum of the American Indian, 1 Bowling Green, New York, NY 10004

Philadelphia, Pennsylvania

October 13, 2022

11 a.m. - 3 p.m.

Federal Reserve Bank 10 N. Independence Mall, W Philadelphia, PA 19106

Oakland, California

October 26, 2022

11 a.m. - 3 p.m.

Ronald V. Dellums Federal Building, 1301 Clay Street, Oakland, CA 94612

Boston, Massachusetts

November 2, 2022

11 a.m. - 3 p.m.

Tip O’Neill Federal Building, 10 Causeway, Boston, MA 02222

Seattle, Washington

November 9, 2022

11 a.m. - 3 p.m.

Henry Jackson Federal Building, 915 2nd Avenue, Seattle, WA 98104

Kansas City, Missouri

November 16, 2022

TB 11 a.m. - 3 p.m. D

Two Pershing Square, 2300 Main Street, Kansas City, MO 64108

Washington, DC

October 19, 2022

11 a.m. - 3 p.m.

Metropolitan Washington Council of Governments, 777 North Capitol Street NE, Suite 300, Washington, DC 20002

 

Voluntary Sharing of Information about Cyber Incidents

While covered cyber incident and ransomware payment reporting under CIRCIA will not be required until the Final Rule implementing CIRCIA’s reporting requirements goes into effect, CISA encourages critical infrastructure owners and operators to voluntarily share with CISA information on cyber incidents prior to the effective date of the final rule. 

When information about cyber incidents is shared quickly, CISA can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.

CISA encourages all organizations to share information about unusual cyber activity and/or cyber incidents 24/7 via report@cisa.gov or (888) 282-0870.  To learn more about how Observe, Act, and Report cyber incidents, view our fact sheet on Sharing Cyber Event Information.

Additional Resources:

Background and Facts About CIRCIA 

BACKGROUND

In March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Enactment of CIRCIA marks an important milestone in improving America’s cybersecurity by, among other things, requiring the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report to CISA covered cyber incidents and ransom payments. These reports will allow CISA to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.

CYBER INCIDENT REPORTING INITIATIVES

CIRCIA includes a number of requirements related to the required reporting and sharing of covered cyber incidents, to include the following:

  • Cyber Incident Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred.
  • Federal Incident Report Sharing: Any federal entity receiving a report on a cyber incident after the effective date of the final rule must share that report with CISA within 24 hours. CISA will also have to make information received under CIRCIA available to certain federal agencies within 24 hours.
  • Cyber Incident Reporting Council: DHS must establish and Chair an intergovernmental Cyber Incident Reporting Council (Council) to coordinate, deconflict, and harmonize federal incident reporting requirements.

RANSOMWARE INITIATIVES

CIRCIA additionally authorizes or requires a number of initiatives related to combatting ransomware, to include the following:

  • Ransom Payment Reporting Requirements: CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA within 24 hours of making any ransom payments made as a result of a ransomware attack. CISA must share such reports with federal agencies, similar to above.
  • Ransomware Vulnerability Warning Pilot Program: CISA must establish a pilot to identify systems with vulnerabilities to ransomware attacks and may notify the owners of those systems.
  • Joint Ransomware Task Force: CISA has announced the launch of the Joint Ransomware Task Force in accordance with the statute to build on the important work that has already begun to coordinate an ongoing nationwide campaign against ransomware attacks. CISA will continue working closely with the Federal Bureau of Investigation and the National Cyber Director to build the task force.

IMPLEMENTING CIRCIA’S REPORTING REQUIREMENT

  • Some of the new authorities are regulatory in nature and require CISA to complete rulemaking activities before the reporting requirements go into effect.
  • As part of the rulemaking process, CIRCIA requires CISA to publish a Notice of Proposed Rulemaking(NPRM) within 24 months of the enactment of CIRCIA, and to issue a Final Rule setting forth the regulatory requirements within 18 months of the publication of the NPRM.
  • CIRCIA also mandates that CISA consult with various entities throughout the rulemaking process, including Sector Risk Management Agencies (SRMAs), the Department of Justice (DOJ), other appropriate Federal agencies, and the Council.
  • As CISA wants to ensure that the proposed rule benefits from the perspectives of our broad partner community, CISA will also be publishing a Request for Information later this year in the Federal Register, and will also be hosting a series of listening sessions where stakeholders will be able to provide thoughts on the statutory requirements directly to members of CISA.

SHARING INFORMATION WITH CISA ABOUT CYBER INCIDENTS OR RANSOM PAYMENTS

  • Until the effective date of the Final Rule, organizations are not required to submit cyber incident or ransom payment reports under CIRCIA.
  • However, CISA strongly encourages organizations to continue voluntarily sharing cyber event information with CISA throughout the rulemaking period prior to the Final Rule’s effective date.
  • When information about cyber incidents is shared quickly, we can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.

HOW TO SHARE INFORMATION ABOUT A CYBER INCIDENT

  • When information about cyber incidents is shared quickly, we can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.
  • Organizations can share information about unusual cyber activity and/or cyber incidents to report@cisa.gov or (888) 282-0870.
  • Additional information on sharing information about unusual cyber activity or incidents can be found here.

Frequently Asked Questions (FAQ)

Q. What is CISA required to do under CIRCIA to implement the reporting requirement?

  • Some of the new authorities are regulatory in nature and require CISA to complete rulemaking activities before the reporting requirements go into effect.
  • Specifically, the law requires that CISA develop and publish a Notice of Proposed Rulemaking (NPRM), which will be open for public comment, and a Final Rule.
  • CIRCIA also mandates that CISA consult with various entities throughout the rulemaking process, including Sector Risk Management Agencies (SRMA), the Department of Justice (DOJ), other appropriate Federal agencies, and a soon-to-be formed U.S. Department of Homeland Security (DHS)-chaired Cyber Incident Reporting Council. CISA is working to complete these activities within the statutorily mandated timeframes.

Q. Am I now required to submit reports of cyber incidents or ransomware payments to CISA?  If not now, when will this requirement go into effect? 

  • Organizations are not required to submit cyber incident or ransomware payment reports under CIRCIA until the yet-to-be-determined effective date of the Final Rule. 
  • Nevertheless, CISA strongly encourages organizations to continue voluntarily sharing cyber event information with CISA throughout the rulemaking period prior to the Final Rule’s effective date. 
  • When information about cyber incidents is shared quickly, we can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.
  • Organizations can report unusual cyber activity and/or cyber incidents to report@cisa.gov or (888) 282-0870.

Q. How long is the rulemaking process going to take? 

  • CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of the enactment of CIRCIA, and to issue a Final Rule setting forth the regulatory requirements within 18 months of the publication of the NPRM.

Q. I have some ideas on how reports should be made.  How can I contribute to the development of the rule? 

  • All members of the public will have the opportunity to review and provide comments on the Notice of Proposed Rulemaking, which is required to be published no later than March 2024.
  • CISA  also plans to release a Request for Information (RFI) and host a series of listening sessions through which stakeholders will be able to provide CISA with their perspectives on various aspects of CIRCIA’s future regulations. CISA will share more information on both the RFI and listening sessions as becomes available.  

Q. My [council, company, organization, etc.] is interested in receiving a briefing on and/or discussing CIRCIA with CISA.  How can I schedule a briefing/meeting? 

  • All members of the public will have the opportunity to review and provide comments on the Notice of Proposed Rulemaking, which is required to be published no later than March 2024.
  • CISA also plans to release a Request for Information (RFI) and host a series of listening sessions through which stakeholders will be able to provide CISA with their perspectives on various aspects of CIRCIA’s future regulations.  CISA will share more information on both the RFI and listening sessions as it becomes available.  

Q. I have a cyber incident I’d like to report.  What is the best way to do that? 

  • When information about cyber incidents is shared quickly, we can use this information to render assistance and provide warning to prevent other organizations from falling victim to a similar incident. This information is also critical to identifying trends that can help efforts to protect the homeland.
  • Organizations can share information about unusual cyber activity and/or cyber incidents to  report@cisa.gov or (888) 282-0870.
  • Additional information on sharing information about unusual cyber activity or incidents can be found here.

For Media Inquiries

 For media inquiries, please contact CISA Media at CISAMedia@cisa.dhs.gov.

 

Was this webpage helpful?  Yes  |  Somewhat  |  No