Check out the preceding article in this series, PR vs cybersecurity teams: Dealing with disputes in a crisis.
During the incident at the Colonial Pipeline a few years back, there was a surge of panic and lengthy lines at gas stations due in part to a scarcity of reliable information. This event rang the alarm on grave dangers to vital infrastructure and the possible aftermath consequences.
In response to this and other well-known cyberattacks, the Congress approved the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Nonetheless, due to the typical sluggish pace of governmental proceedings, it is only now in 2024 that the Cybersecurity and Infrastructure Security Agency (CISA), the entity tasked with supervising CIRCIA, is finalizing the obligatory rule prerequisites for the law to come into effect. On April 4, CISA issued a Notice of Proposed Rulemaking (NPRM), which remained open for public feedback until July 3, with the final rules and regulations expected no later than October 2025.
The primary objective of CIRCIA is to transform the communication approach of entities across critical infrastructure during a cyber crisis and enhance overall cybersecurity readiness.
Rule of 72 hours
CISA has identified 16 sectors as critical infrastructure, which are detailed here. Yet, under CIRCIA, only 13 of these sectors will be mandated to adhere to the reporting guidelines (at present, Commercial Facilities, Dams, and Food and Agriculture sectors are excluded, however, this could change, naturally).
According to the new crisis communication protocols, any company operating within one of the 13 critical infrastructure sectors, including small to medium-sized enterprises, must report a cyber incident to CISA within 72 hours of its occurrence. Any federal agency that receives a report regarding a covered cyber incident has 24 hours to relay the report to CISA.
The protocols also establish an intergovernmental Cyber Incident Reporting Council that will synchronize, deconflict, and harmonize federal incident reporting obligations.
Explore incident response services
Additional ransomware guidelines under CIRCIA
Recognizing that ransomware is a predominant form of attack on critical infrastructure, CIRCIA has integrated guidelines to aid these organizations in fortifying themselves against ransomware assaults. These include:
- If an organization makes a ransomware payment post-attack, it must report this to CISA within 24 hours. CISA will disseminate this report to other federal agencies.
- Through the Ransomware Vulnerability Warning Pilot (RVWP) program, CISA sanctions authorities and technologies to pinpoint systems with susceptibilities that could give rise to ransomware and promptly alert them to rectify the systems before an attack occurs.
Covered cyber incident criteria
In addition to its reporting requisites, CIRCIA and CISA define particular criteria to identify what qualifies as a covered cyber incident. If an incident aligns with these criteria, it must be reported:
- An incident that culminates in significant loss of confidentiality, integrity, or availability within systems, or severely impacts the resilience or safety of operations
- An incident that disrupts business or industrial operations. This encompasses DoS attacks, ransomware, and zero-day attacks
- An incident that permits unauthorized access or disrupts business operations via service loss from a third-party provider
Preparation for CIRCIA
Despite the complete enforcement of CIRCIA being a year away and probable alterations during that time, organizations can commence taking actions to get ready for eventual reporting of a covered incident.
This process commences with determining if your organization falls under the encompassing sectors, and if so, acquainting oneself with the reporting guidelines.
This would serve as an apt moment to review the organization’s cybersecurity policy and adopting suggestions from the NIST Cybersecurity Framework 2.0, NIST Software Supply Chain Security framework, and other available government cybersecurity guidelines.
The incident response squad should be fully conversant with the CIRCIA requisites, alongside the existing incident response plan, and undertake simulations. Adjustments may be required to the incident response protocols to meet these stipulations. In the event that your organization lacks an incident response unit and strategy, this is the opportune time to assemble one.
CIRCIA rules will only be obligatory as of 2025 when the final rules take effect, nonetheless, initiating adherence to the guidelines at this juncture can enhance cybersecurity throughout your business and critical infrastructure.