The federal Cybersecurity & Infrastructure Security Agency (CISA) has issued a request for information (RFI) seeking public input on its development of cyber incident and ransom payment reporting rules under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

The September 12, 2022, RFI provides a "non-exhaustive" list of topics on which CISA seeks input, including the following:

  • Definitions of and statistics pertaining to various terms to be used in the proposed rules, including the scope-defining terms "covered entity," "covered cyber incident," and "substantial cyber incident;"
  • The form, manner, content, and procedures for submission of cyber incident and ransom payment reports required under CIRCIA, including initial reports and follow-ups;
  • The criteria for what constitutes a "reasonable belief" that a covered cyber incident has occurred, triggering the 72-hour deadline to report such incidents;
  • Information regarding existing federal or state incident reporting requirements and potential areas of overlap or conflict between those requirements and CIRCIA;
  • The typical time and costs needed to comply with existing incident reporting requirements; and
  • Industry practices governing the sharing of security vulnerability information.

Comments may be submitted through the Federal eRulemaking Portal through November 14, 2022, in accordance with instructions in the RFI. CISA also has announced a series of 11 "listening sessions" across the country as another way of soliciting public input. The schedule for these sessions, as well as other information about CIRCIA and the CISA rulemaking process, can be found on CISA's dedicated CIRCIA website.

CIRCIA and CISA Rulemaking

DWT outlined CIRCIA and CISA's rulemaking authority in a prior blog post. CIRCIA, which was signed into law in March 2022, requires companies operating in critical infrastructure sectors to report covered cyber incidents within 72 hours of a company's reasonable belief that a covered cyber incident has occurred and to report a ransom payment within 24 hours after the payment is made. The law also contains various legal protections for companies that report incidents and payments in accordance with the regulations and grants CISA limited enforcement powers.

CIRCIA requires the Director of CISA to publish proposed rules in the form of a Notice of Proposed Rulemaking (NPRM) within 24 months of CIRCIA's enactment, or by no later than March 2024. A Final Rule must be published within 18 months of the proposed rules, or by no later than September 2025. CISA's announcement of the RFI and listening sessions is its first public step toward implementing the regulations required under CIRCIA.