President Biden recently signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as a part of a larger omnibus appropriations bill.  The new law sets out mandatory reporting requirements for critical infrastructure entities in the event of certain cyber incidents and ransomware payments.  Under the Act, once implementing regulations are issued (which are not expected this year) covered entities will be subject to two new reporting requirements:  

  • Covered entities must report covered cyber incidents no later than 72 hours after the covered entity reasonably believes that an incident has occurred.
  • Covered entities that make ransom payments as a result of a ransomware attack against critical infrastructure must report the payment no later than 24 hours after payment has been made.

While the general reporting timeframes are clear, the questions of who is impacted by this Act, what incidents must be reported, and what the reporting process requires are decidedly less clear. The Cybersecurity and Infrastructure Security Agency (CISA) will be issuing rules addressing those points. A proposed rule is to be issued within 24 months, and the Director of CISA is to issue a final rule within 18 months of issuance of the proposed rule.  As part of the rulemaking, CISA will further define the scope of critical infrastructure entities that are covered. It is hoped that the rulemaking will also include a more clear description of what constitutes a substantial cyber incident. The requirements will not go into effect until CISA issues its rules.

The Act outlines strict enforcement mechanisms to ensure compliance with the Act.  If CISA suspects a covered entity has not submitted a required report, CISA will ask the entity to disclose an incident. If the entity does not respond within 72 hours, CISA can subpoena the entity for more information.  Failure to comply with the subpoena can result in civil penalties and/or suspension and debarment from federal contracting.

Putting it into Practice:  Reporting requirements will not be effective immediately, but companies that generally operate in critical infrastructure sectors should review the Act and proposed rulemaking when it is released to determine if they will be subject to the reporting requirements. Companies also may consider submitting comments on the proposed rule to participate in the rulemaking process and reviewing their incident response plans for potential updates to be made based on the new rules.