CIRCIA at One Year: A Look Behind the Scenes
It has been one year since President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) into law—an act that is critical to improving America’s cybersecurity. In that time, we’ve been working to implement the law thoughtfully, listening to stakeholders, and building the staffing, processes, and technology to successfully implement this groundbreaking legislation.
While those who are familiar with CIRCIA might think first of its regulatory requirements, there are also critical requirements that are more operational in nature. For example, in accordance with the law, CISA and the Federal Bureau of Investigation (FBI) established the Joint Ransomware Task Force (JRTF) in September 2022 to coordinate a nationwide campaign against ransomware attacks. In addition, CISA established the Ransomware Vulnerability Warning Pilot (RVWP) Program in January 2023 to identify the most common security vulnerabilities used in ransomware attacks and to identify information systems that already contain these vulnerabilities. Together, JRTF and RVWP are making Americans safer and better equipped to handle cyber incidents.
In addition to proactively seeking out vulnerabilities, it is critical that entities that experience cyber incidents report them. If incidents aren’t reported, we will collectively continue to suffer from a lack of certainty around the depth and breadth of the threat of cyber threat activity to America’s critical infrastructure. One of the most vital aspects of CIRCIA is that it enhances CISA’s ability to use cybersecurity incident and ransom payment information reported to the agency to spot trends in real-time, fill critical information gaps, rapidly deploy resources to help entities that are suffering from cyberattacks, and share information to warn other potential victims.
In fact, reporting cyber incidents is so vitally important that CIRCIA established mandatory reporting requirements for covered entities that have experienced a covered cyber incident or made a ransom payment that will be implemented through regulation. CISA is currently working in accordance with the timeline provided by CIRCIA to develop thoughtful regulations that will become effective after a final rule is published.
As an agency grounded in collaboration and coordination, CISA has worked hard to ensure it hears from the American people, critical infrastructure owners and operators, and other cybersecurity community members prior to developing proposed regulations. In the fall of 2022, agency staff made 10 stops from coast to coast to host in-person listening sessions and published a 60-day Request for Information (RFI) to solicit written comments. We are grateful to those who attended the in-person sessions and the approximately 130 individuals and organizations who submitted written comments in response to the RFI. Together, this feedback is helping us implement the legislation in the most effective way possible to protect the nation’s critical infrastructure.
During that same timeframe, CISA hosted 17 virtual, sector-specific listening sessions, including one for each of the 16 critical infrastructure sectors. These listening sessions provided additional opportunities for industry partners to share their perspectives on potential approaches to implementing CIRCIA’s regulatory requirements. CISA has also been consulting closely with federal partners, including all the Sector Risk Management Agencies (SRMAs), the Department of Justice, and many other Federal Departments and Agencies who have a role in cyber incident reporting. CISA is considering the inputs received through these consultations as we develop the proposed regulations and look for ways to harmonize CIRCIA’s requirements with other existing cyber incident reporting regulatory requirements.
While these reporting regulations will only impact covered entities and apply to covered cyber incidents and ransom payments, we encourage all critical infrastructure owners and operators to voluntarily share information on cyber incidents, phishing attempts, malware and vulnerabilities, to help prevent other organizations from falling victim to similar incidents. It’s easy to do at cisa.gov/report.
Looking ahead, CISA is required by CIRCIA to publish a Notice of Proposed Rulemaking by March 2024 and open it for public comment. CISA is appreciative of the high level of continued engagement from the public on the agency’s proposed rulemaking. To learn more about CIRCIA and future opportunities to provide comments or feedback, visit cisa.gov/CIRCIA.