The Cybersecurity and Infrastructure Security Agency (CISA) is seeking input on various aspects of proposed incident reporting regulations under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (discussed here). CISA issued a Request for Information (RFI) and has scheduled a number of listening sessions across the country. Written comments may be submitted until November 14, 2022.

CISA is particularly interested in input from owners and operators of critical infrastructure entities on the potential impact of the proposed requirements. CISA has provided a non-exhaustive list of topics related to the rulemaking, but of note are the following:

  • The definition of “covered entity” including the number of entities, either overall or for a specific industry or sector
  • The meaning of “covered cyber incident” and “substantial cyber incident” and in particular how to better align these definitions with other federal incident reporting requirements
  • What constitutes a “reasonable belief” that a covered cyber incident has occurred
  • The meaning of “ransom payment” and “ransomware attack,” and when the timeline for reporting a ransom payment should begin
  • Input about information preservation after an incident, including methods, cost, and duration
  • The role of third-party entities in submitting covered cyber incident or ransomware reports

Putting it Into Practice: The RFI outlines key terms and considerations relevant to critical infrastructure and provides insight on CISA’s general approach to incident response, which may serve as the basis for future requirements applicable to other sectors. This comment period is an opportunity for companies to influence the scope and impact of the final rule. Comments may be submitted through November 14, 2022 at