DHS CIRCIA Reshapes the Cybersecurity Regulatory Landscape for All Companies

The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) recently published its Notice of Proposed Rulemaking (NPRM) for its proposed rules implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This notice clarifies and answers key questions and points from when the act was newly-signed into law, many of which were outlined in our 2022 blog post on the law.

The notice shows a clear move by CISA to position CIRCIA as a more comprehensive federal data breach reporting standard that covers a wide swath of the US economy. Given the growing awareness of the vulnerability of US critical infrastructure and continued volume of data breaches, CISA seems to believe it’s been presented with an opportunity, especially given the complex political environment in which an actual standard hasn’t passed Congress yet. The law will also clearly bolster CISA sources of intelligence for threat detection, mitigation, and law enforcement purposes. 

Whether CIRCIA becomes a true national standard remains to be seen, but is clearly an unmistakable move in that direction. Companies and industry groups have and will continue to push back. The open public comment period on the proposed rules was extended already, now ending on July 3rd, and we expect finalization no later than in 18 months in late 2025. At the moment, the law does not preempt any of the decades-old patchwork quilt of 50-state data breach notification requirements nor the numerous and expanding sector-based and other federal requirements absent an agreement with CISA. 

This plus very strong requirements on small businesses (in some cases regardless of size) will feel onerous to many companies, especially those that have never had a requirement like this to date. That said, the sectors covered here largely underpin society, and if CISA can wrangle agreements with other agencies then the law is likely preferable to the current patchwork, even if it doesn’t replace it. Regardless of continued industry pushback, we expect CISA will hold the line, the rules will not significantly change, and become enforceable no later than early 2026. 

CIRCIA’s Broad Applicability to Companies of All Sizes

As previously noted in our 2022 blog, CIRCIA has broad applicability to “Covered Entities” operating in 16 Critical Infrastructure Sectors. This might sound somewhat specific, but these sectors include the financial, health care, IT, and energy sectors. Our 2022 blog predicted how far this approach would likely extend CIRCIA’s reach, and CISA has taken an even broader stance than expected. 

We now know that almost any entity operating in these sectors is covered, unless they meet the definition of a Small Business Administration’s small business. Even then, however, many small companies are covered: to address what some flagged as a potential gray area, the NPRM makes clear that CIRCIA’s Covered Entity definition captures all entities, regardless of size, operating in the critical infrastructure sectors that fulfill sector-based criteria (without exception). 

For example, the sector-based criteria for the information technology sector would include entities that provide or support IT services for the federal government; or entities that operate a covered chemical facility; entities that provide wire or radio communications; or that develop, license or maintain software that manages or controls access, has privileged access, controls operational technology or performs a function critical to trust (including endpoint security). The NPRM has many more examples, and this sector-based criteria effectively closes the gap for many small businesses hoping not to fall under the critical infrastructure reporting obligations. 

This change is a big impact–right now we see only a smattering of public company incidents, breaches made more visible recently by the SEC rules, and the breach notifications a handful of states post online. Various reports put the pace at eight up to 29 breaches and about 83 incidents per day. Given those numbers, companies can expect to report significantly more often than they do currently, as those are likely not inclusive of the incidents occurring in many of these critical infrastructure sectors.

Most Cyber Incidents Will Require Companies to Act

The definition of cyber incident back in 2022 gave us room to consider how CISA would approach the types of incidents subject to its new rules for critical infrastructure providers. Perhaps unsurprisingly, the NPRM makes clear that any incident that negatively impacts a Covered Entity’s information systems could be considered a Covered Cyber Incident. 

Specifically, the rules provide the following for determining whether a report to CISA under CIRCIA is required:

• Substantial loss of confidentiality, integrity, or availability of information system or network; 
• Serious impact on the safety and resiliency of a covered entity’s operational systems and processes; 
• Disruption of the Covered Entity’s ability to engage in business or industrial operations or deliver goods or services; 
• Unauthorized access to a Covered Entity’s information system, network, or nonpublic information caused by the compromise of cloud service provider, or other third-party hosting provider; or, 
• A supply chain compromise.

A key facet of the proposed implementation is that the cause of the incident is essentially irrelevant–it doesn’t matter if the incident was caused by compromise of a third-party service provider, a denial-of-service attack, or a vulnerability in open-source code. This might at first draw a parallel to India’s CERT-In directive from 2022, given the wide scope of reporting requirements. The NPRM does draw the line at actual incidents, however, as “mere threats” or disruption, extortion, or events perpetrated in good faith in response to a request by the system owner or operator do not meet the incident threshold. 

It remains to be seen from the initial feedback to the draft if the breadth of scope and applicability across both companies and incidents will survive the rulemaking process, but recent state and federal regulations have been largely unaffected or only partially updated during feedback processes. Given that and the volume of incidents we’re already aware of occurring globally, many more companies can expect to fulfill the requirement to report incidents in the near future.

CIRCIA Adopts Continuous Reporting Approach, Requires Initial Notice in 24 to 72 Hours

CIRCIA’s initial plan for reporting is made up of four reports, all of which will be available through CISA’s website, specifically: 

• Covered Cyber Incident Reports – due within 72 hours of reasonably believing that a Covered Cyber Incident has occurred; 
• Ransom Payment Reports – due within 24 hours after a Covered Entity makes a ransom payment;
• Joint Covered Cyber Incident and Ransom Payment Reports – due within 72 hours; and,
• Supplemental Reports – due within 24 hours of new or different information becoming available. 

Here we see two trends in more recent reporting – a very rapid 24-hour deadline for high-impact events like ransomware payments as well as a continuous reporting requirement whenever information changes. Specifics for “new or different information” will likely be critical as this is a massive impact to companies of all sizes, let alone those that have never had to report an incident previously.

In addition, the NPRM explains that the CIRCIA reporting tool on CISA’s website will require extensive details (among others) that many companies struggle to pull together in weeks, let alone in a few days:

• Identity of the Covered Entity; 
• Description of affected functions; 
• Technical details of impacted network or devices; 
• Vulnerabilities exploited;
• Categories of information accessed;
• Relevant dates; 
• CE’s security protocols; 
• Impact of the incident on operations; 
• Indicators of compromise; 
• Description of the type of incident and tactics; 
• Identifying information about the attacker; 
• Description of any mitigation and response activities;
• Identification of any law enforcement responding to the incident; 
• Identification of the individual submitting the CIRCIA Report; and,
• Whether another entity assisted in responding to the Covered Cyber Incident. 

In addition to Cyber Incident Reporting, CIRCIA’s Ransom Payment Reports require information regarding: 

• The payment demand; 
• Amount and types of assets used in the payment; 
• Identity of the recipient; 
• Form of payment requested; 
• Ransom payment instructions; and,
• Transactional identifiers.

Given the likely complicated reporting task, CIRCIA allows for third parties to submit reports on behalf of Covered Entities, with the Covered Entity on the hook for the content and timeliness of the report. Further, Covered Entities must retain the supporting data used to file the reports for at least two years from the date of submission.  

These requirements continue the trend toward regulatory continuous reporting as well as the push to abandon the existing, broken legal paradigm of recording nothing during an incident. Companies will likely look for exceptions to the law, and some exist, but CISA has painted a wide brush with its proposed rules across industry.

Exemption for Similar Reporting Obligations

While CIRCIA is soon to be the new big kid on the incident reporting block, it contains provisions to eliminate duplicative reporting obligations to other federal agencies…with a catch. CISA proposed that the only way to eliminate duplicative reporting is for other federal agencies to establish an agreement (a “CIRCIA Agreement“) with CISA where substantially similar reporting requirements exist. CISA also has wide discretion to determine what “substantially similar” means and may also terminate a CIRCIA Agreement at any time. As a result, and depending on the volume of reports, it is possible that duplicative reporting will take some time to reduce. 

Notably, CIRCIA reporting does not change state level reporting obligations. Separately, federal agencies that are required by the Federal Information Security Modernization Act (FISMA) to report incidents to CISA would be exempt from reporting those incidents under CIRCIA.

The Carrot: Benefits of CIRCIA Reporting

To facilitate the provision of the details required in CIRCIA reporting, some of which Covered Entities may consider sensitive, confidential, and even subject to attorney-client privilege, the NPRM provides certain guarantees for Cyber Incident Reports, ransomware payment reports, and request for information (RFI) responses that will meaningfully insulate reporting companies from certain risks, such as: 

• No enforcement action may be taken based solely on the submission of a CIRCIA report or in response to an RFI; 
• No privilege waiver for any applicable privilege or protection provided by law as a consequence of submitting a CIRCIA Report or RFI response; 
• CIRCIA Reports are exempt from FOIA disclosures; 
• Covered Entities can designate their reports as “commercial, financial, and proprietary” for CISA handling

Federal agencies may also use CIRCIA reporting only for cybersecurity purposes, such as identifying a cybersecurity threat or security vulnerability, or responding to or mitigating a specific threat of death, serious bodily harm, or serious economic harm.

The Stick: Enforcement and Penalties

Surprisingly in the NPRM there is a lack of clear enforcement consequences. Perhaps this ambiguity is intentional. Regardless, the proposed CIRCIA rules do not have mandatory penalties for Covered Entities violating its reporting obligations. That said, CISA can issue RFIs if it has reason to believe a Covered Entity has failed to submit a report. In addition, CISA can issue subpoenas for information and to compel responses to its information requests. In hopefully exceptional circumstances, CISA can also follow up its investigative efforts with a civil action through the Department of Justice – which brings with it the possibility of contempt of court punishment for non-compliant Covered Entities. Unsurprisingly, false statements under CIRCIA reporting obligations can be prosecuted as crimes. 

As readers can appreciate, CIRCIA’s reporting requirements mean that sensitive data will be leaving the control of Covered Entities, something that any company will find difficult and costly to manage given the risk of adverse outcomes. RFIs and court enforcement of reporting requirements will likely provide companies significant encouragement to comply with the new rules.

Automation will be Required to Meet Regulatory Demand

The coming CIRCIA reporting obligations clearly bring meaningful change to wide swaths of industry, adding reporting obligations on many companies not familiar with dealing with these requirements. For larger companies and those in highly-regulated sectors, and especially at first, the reports will likely layer onto existing US federal, sector, and state breach reporting requirements already undertaken for cybersecurity incidents in other regulatory regimes – in other words, more reports and faster reporting timelines. While we expect companies and industry groups to continue to push back given the incremental lift to meet the new requirements will not be zero, as noted earlier past efforts to reduce a law’s impact ahead of its implementation have been at best only partially successful.

Regardless of how the CIRCIA rule finalizes, given the insane pace of incidents in the last few years, by some accounts over 8 breaches per day and by others 83 incidents and 29 breaches per day, regulators will continue to push for transparency and change. Anticipating this and to effectively respond to cybersecurity incidents and legal reporting requirements around them, companies must drastically alter their approach by adopting proactive readiness and consistent response strategies. 

Leveraging a combination of technology automation, regulatory intelligence, and expert guidance such as provided by the BreachRx incident response platform, is the only effective approach to proactively prepare for the breadth of threats and the 200+ cybersecurity, privacy, and data breach regulations globally. Technology enables the development and maintenance of comprehensive playbooks for a wide range of incidents. It enables preparation through regular training, simulations, and exercises, ensuring that all stakeholders—security, legal, IT, compliance, communications, and decision-makers—are aligned and ready to handle incidents effectively. Automation also enhances team collaboration, better protects legal privilege, and accelerates response times. This proactive approach not only meets the necessary requirements but also fortifies an organization’s cyber resilience, reducing the overall impact and cost of incidents.

The benefit from the law, in whatever final form it takes, is it will ultimately allow DHS and CISA to better understand the threat landscape and develop countermeasures, advance awareness, and deploy faster mitigation strategies. This will assist with law enforcement and national security as well as reduce the advantage attackers have over overstretched and overworked defenders. In the end, if companies embrace automation rather than try to approach this with the legacy, already-failing approach to incident response, they’ll likely see that they and the economy as a whole will benefit from CIRCIA.