DHS Requests Comments on Mandatory Cyber Attack and Ransom Reporting 

DHS Requests Comments on Mandatory Cyber Attack and Ransom Reporting 

This month, the Department of Homeland Security (DHS) released a Notice of Proposed Rulemaking (NPRM) in the Federal Register seeking comment on cyber incident and ransom payment reporting requirements as required by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Comments are due June 3, 2024.

CIRCIA, signed into law by President Biden in 2022, requires the DHS Cyber security and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents (within 72 hours) and ransomware payments (within 24 hours) to CISA, as well as to report any substantial new or different information discovered related to a previously submitted report. These reports would allow CISA to deploy resources and assist victims suffering attacks, analyze incoming reporting to spot trends, and quickly share information with network defenders to warn other potential victims.

The cyber incident reporting landscape currently consists of dozens of Federal and state/local/tribal/territorial cyber incident reporting requirements, yet no single Federal statute or regulation facilitated a comprehensive and coordinated approach to understanding cyber incidents across critical infrastructure sectors prior to CIRCIA’s enactment. No one government agency has visibility into the breadth and totality into occurring or reported cyber incidents. CIRCIA mandates CISA to promulgate rules covering the systematic collection of cyber incident information to aggregate, analyze, and share information, at the scale necessary to prevent, deter, defend against, respond to, and mitigate significant cyber threats. The result is a benefit to both covered entities required to report under CIRCIA, and entities not subject to CIRCIA that will receive downstream benefits such as enhanced information sharing, more secure technology products, and improved network defense capabilities.

CISA is seeking comments on:

• Defining Key Terms: CISA seeks comments on defining “Covered Entity” as parties responsible for complying with covered cyber incident and ransom payment reporting, including entities in critical infrastructure sectors such as Communications.
• CIRCIA Reports: CISA proposes four types of reports to be filed by covered entities or third parties on their behalf, including Covered Cyber Incident Reports, Ransom Payment Reports, Supplemental Reports, and Joint Covered Cyber Incident and Ransom Payment Reports, each with specific timelines for submission.
• Cyber Incident Classification: CISA clarifies that a covered entity need only determine if a cyber incident qualifies as a substantial cyber incident, which includes incidents leading to loss of confidentiality, integrity, availability, operational system disruptions, or unauthorized access to nonpublic information.
• Applicability Clarification: CISA outlines criteria for determining Covered Entity status, including exceeding the US Small Business Administration’s small business standard and belonging to specified sectors such as Communications, Emergency Services, Information Technology, and Healthcare and Public Health.
• Data Preservation and Privacy Protection: CISA proposes data and records preservation requirements, specifying types of data to be preserved, preservation periods, procedural requirements for storage and accessibility, and procedures for protecting privacy and civil liberties, including anonymization of personal information not directly related to cyber security threats, and penalties for false or fraudulent reporting.

CISA acknowledges the potential for covered entities to face duplicative cyber security reporting obligations and seeks comment on how to align proposed reporting requirements with existing federal mandates. Providing comments to CISA, particularly if you are already reporting to another agency on covered cyber incidents or ransom payments, could help relieve future reporting burdens. One specific concern for clients is the FCC’s Network Outage Reporting System (NORS) requirements, which requires telecommunications services and Voice over Internet Protocol (VoIP) providers to report communication service outages caused by cyber incidents to the FCC.

We encourage clients to provide feedback on their current cyber security reporting requirements to other federal agencies, including where it may be duplicative or unnecessarily onerous in addition to CISA’s proposed reporting requirements. We also recommend that clients use their considerable first-hand experience in combatting cyber incidents to inform this proceeding.

Comments are due June 3 and must be submitted via the Federal eRulemaking Portal, available at http://www.regulations.gov, referencing docket number CISA-2022-0010. Please contact Jenn Holtz if your company is interested in filing comments for this NPRM or Daniel Brashear if you require any cyber security assistance.