CISA Issues Proposed Rule for CIRCIA Reporting — April 4, 2024

Executive briefing: On 4 April 2024 the Cybersecurity and Infrastructure Security Agency (CISA) published its long-awaited notice of proposed rulemaking (NPRM) to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The proposal sets out definitions for covered entities, reportable incidents, 72-hour incident reporting deadlines, and 24-hour ransomware payment notifications.

Key NPRM elements

• Covered entities. Applies to owners and operators in 16 critical infrastructure sectors that meet size or criticality criteria outlined in the proposal.
• Reportable incidents. Requires reporting of substantial cyber incidents that cause serious impacts, including unauthorized access to sensitive systems, disruptions of essential functions, or operational technology degradation.
• Reporting mechanics. Establishes the CIRCIA Reporting Portal, required data elements, and obligations to preserve records for at least two years.

Control alignment guidance

• Incident response plans. Update playbooks to incorporate 72-hour reporting triggers, evidence preservation procedures, and coordination with legal counsel.
• Regulatory mapping. Align CIRCIA obligations with existing TSA, SEC, and sector-specific reporting requirements to avoid conflicting timelines.
• Vendor management. Ensure managed service providers and incident response partners can support CIRCIA data collection and notification workflows.

Operational recommendations

• Submit comments by the 3 July 2024 deadline, addressing definitions and thresholds that affect your sector.
• Run joint exercises with legal, communications, and technology teams to practice gathering the NPRM’s required data fields within the 72-hour window.
• Assess logging, forensic readiness, and ransomware response contracts to ensure evidence retention for the mandated two-year period.