By Cody Venzke
On March 15, 2022, President Joseph Biden signed H.R. 2471, the Consolidated Appropriations Act, 2022, into law. Division Y of the Appropriations Act, titled the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” (the Act), establishes new cybersecurity reporting requirements for the owners or operators of critical infrastructure.
Under the Act, an “entity in critical infrastructure” must report “substantial cyber incidents” and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). Although the Act’s requirements must be developed through rulemaking by CISA, it is poised to impose new cybersecurity reporting requirements across dozens of industries.
The Act applies to “covered entities,” which it defines as “an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21” (PPD-21). The 2013 PPD-21 and related law define “critical infrastructure” as “systems and assets, whether physical or virtual, so vital to the United States” that their incapacity or destruction would debilitate “security, national economic security, national public health or safety, or any combination of those matters.” PPD-21 identified 16 “critical infrastructure sectors,” including communications, energy, healthcare, and government facilities, among others. PPD-21 and subsequent legislation designated a “Sector Risk Management Agency” (SRMA) for each of those sectors to coordinate with the Department of Homeland Security in the protection of their respective sector’s cybersecurity.
Covered entities are required by the Act to report “covered incidents,” which it defines as a “substantial cyber incident,” and ransomware payments. The Act incorporates the existing definition of a “cyber incident” under the Homeland Security Act of 2002, 6 U.S.C. § 659, as an “occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system.” Covered entities must report covered incidents or ransomware payments to CISA within 72 or 24 hours, respectively; however, the statutory deadline for reporting covered incidents begins to run only after the entity “reasonably believes a covered cyber incident has occurred.”
Although the Cyber Incident Reporting Act incorporates existing definitions of “critical infrastructure” and “cyber incidents,” the scope of those terms is subject to refinement under future rulemaking by CISA. At minimum, the future rulemaking must provide “clear description[s]” of:
- the “types of entities that constitute covered entities,”
- the “types of substantial cyber incidents that constitute covered incidents,”
- the “specific required contents of a report” for a covered incident or a ransomware payment, and
- procedures for submitting required reports.
CISA’s rules must be promulgated through a notice of proposed rulemaking (NPRM) and a final rule. CISA is required to publish an NPRM within 24 months of the Act’s enactment in consultation with the SRMAs, the Department of Justice, and “other Federal agencies.” The final rule must be published within 18 months of the NPRM. The Act stipulates that “subsequent rules” promulgated following the final rule must “comply with the requirements under chapter 5 of title 5, United States Code, including the issuance of a notice of proposed rulemaking under section 553 of such title,” known as the Administrative Procedure Act (APA). The requirement that subsequent rulemaking meet the notice requirements of the APA suggests that the initial NPRM and final rule need not do so.
The Act includes other provisions, including privacy protections for reports provided under the Act, a pilot program for ransomware vulnerability warnings, and increased coordination and information sharing by the National Cybersecurity and Communications Integration Center. The Act’s reporting requirements for covered entities do not come into effect until “the dates prescribed in the final rule issued” by CISA.