During the year 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) was put into operation. As stated by Secretary of Homeland Security Alejandro N. Mayorkas,”CIRCIA strengthens our capability to identify patterns, deliver support to victims of cyber occurrences, and rapidly exchange information with other potential victims, encouraging the reduction of cyber risks across all crucial infrastructure fields.”
Though the legislation is official, the reporting prerequisites for entities falling under its jurisdiction will not be enforced until CISA finishes its regulatory process. As part of this process, the agency has published a 447-page Notice of Proposed Rulemaking (NPRM), which was made available for input on April 4, 2024. By July 3, 2024, the period for feedback has concluded — here’s an overview of the opinions expressed by industry associations and organizations regarding the proposed regulation, its consequences, and perceived deficiencies.
Healthcare: Criticisms consolidate around redundant obligations
Healthcare institutions are raising concerns about what they regard as repetitive reporting stipulations. Both the American Hospital Association (AHA) and the Medical Group Management Association (MGMA) are apprehensive that the new regulations issued under CIRCIA essentially replicate those put forth by HIPAA.
The AHA and MGMA argue that since healthcare bodies are already obligated to report breaches under the HIPAA Breach Notification Rule, the analogous requirements of CIRCIA would introduce additional burdens without any advantages. They express particular worry about the potential penalties under the regulation, which could lead to unreported incidents being referred to the Attorney General and escalating to civil litigations or charges of contempt of court.
In correspondence from the AHA to CISA Director Jen Easterly, it is stated, “The AHA recognizes that the proliferation and impact of cyber crime necessitate rigorous government measures to safeguard American citizens; however, penalizing victims is illogical and counterproductive.”
From the viewpoints of both the AHA and MGMA, the current version of CIRCIA complicates the ability of healthcare institutions to react promptly to incidents. Instead of safeguarding patients and addressing immediate consequences, enterprises would be compelled to concentrate on fulfilling multiple reporting obligations.
Explore the Cost of a Data Breach Report
Critical infrastructure: Challenges arise surrounding extent and timeframe
Concerns are also being raised by critical infrastructure entities regarding the proposed regulation. According to Cybersecurity Dive, they are apprehensive about the time constraints for reporting obligations and the breadth of incidents encompassed by CIRCIA.
Under the proposed regulation, entities under coverage would have 72 hours to report a breach and merely 24 hours to disclose any ransomware payments. Understanding the potential repercussions of infrastructure disruptions such as attacks on energy grids or compromises in water treatment facilities, industry advocates fear that such stringent reporting timelines could impede efforts to rectify issues and restore services swiftly.
Therefore, bodies like TechNet and the American Gas Association (AGA) are urging CISA to confine the initial reporting obligations to only the most vital sectors among critical infrastructure providers. TechNet specifically contends that although critical functions are integral to infrastructure operations, not all divisions of the organization are tasked with these functions. By restraining the concept of “critical,” they argue that teams will be better positioned to handle outcomes.
Transitioning from proposal to implementation
Post the closure of the feedback phase, CISA will evaluate industry input and make any necessary modifications to the NPRM. The final regulation release date remains undisclosed, but it is unlikely to occur before 2025.
For establishments in critical infrastructure, a period of anticipation ensues. CISA has abstained from commenting on the feedback or the plausibility of enacting suggested amendments. Ideally, the final framework should strike a balance, featuring reporting deadlines that are shorter than what providers prefer but sufficiently long to permit effective identification of incident causes and mitigation of key risks.