← Back to all briefings

Cybersecurity · Credibility 82/100 · · 6 min read

Cybersecurity Briefing — April 4, 2024

CISA’s 447-page proposed CIRCIA rule sets 72-hour incident and 24-hour ransom reporting requirements for covered critical infrastructure entities.

Executive briefing: On April 4, 2024 the Cybersecurity and Infrastructure Security Agency (CISA) published its Notice of Proposed Rulemaking to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The draft rule clarifies who must report, what constitutes a covered cyber incident, and the timelines for notifying CISA.

Key directives

  • 72-hour incident reports. Covered entities must report qualifying cyber incidents to CISA within 72 hours of determining an event occurred.
  • 24-hour ransom disclosures. Any ransomware payment tied to a covered entity must be reported within 24 hours, including payment instrument and amount.
  • Two-year record retention. Organizations must preserve data relevant to reported incidents for at least two years.
  • Broad sector scope. The proposed definition spans all 16 critical infrastructure sectors, including healthcare, financial services, energy, water, and information technology.

Control alignment

  • NIST CSF 2.0 DE.DR and RS.CO. Continuous monitoring and coordinated response requirements map directly to the detection and response categories emphasized in the rule.
  • FFIEC Cybersecurity Assessment Tool Domain 4. Financial institutions can tie incident reporting expectations to the FFIEC’s external dependency management and incident response declaratives.
  • ISA/IEC 62443-2-1. Industrial operators should align reporting processes and evidence collection with the cybersecurity management system obligations in 62443.

Implementation priorities

  • Determine whether the organization meets the size or function-based criteria for covered entities and document the rationale.
  • Map existing incident response workflows to the 72-hour and 24-hour deadlines, ensuring legal, communications, and cyber teams can assemble required data fields quickly.
  • Update contracts with managed security providers to guarantee telemetry retention and rapid access to evidence needed for CISA submissions.

Enablement moves

  • Educate executive incident response sponsors on the protected nature of CISA submissions and liability protections offered by CIRCIA.
  • Coordinate with sector risk management agencies to align reporting templates and avoid duplicate regulatory requests.
  • Drill ransom payment playbooks that incorporate Treasury sanctions screening and Department of Justice notification guidance.

Zeph Tech analysis

  • Evidence discipline is critical. Failing to preserve forensic artefacts for two years could trigger enforcement and weaken legal privilege.
  • Vendors are in scope. Third-party incidents that affect covered entities must be reported, so supplier SLAs need explicit notification timelines.
  • Prepare for adjustments. The NPRM comment period closes on July 3, 2024, giving organizations a short window to influence thresholds, definitions, and reporting formats.

Zeph Tech is mapping CIRCIA reporting elements to sector-specific regulatory regimes so clients can reuse evidence packages across overlapping obligations.

  • CIRCIA
  • CISA incident reporting
  • Ransomware disclosure
  • NIST CSF 2.0
Back to curated briefings