There are some stunning cybersecurity statistics about the billions of dollars of impact from cyber events, how long it takes the average organization to realize it has an intrusion, and the difficulty to hire and retain good cyber professionals – but much of this information is still highly opaque. Now, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) stands poised to improve our visibility into this “fuzzy” data.

Effective cybersecurity has always relied on insight and clarity. With cybersecurity, we scan our networks for vulnerabilities; understand where an event exists in what Lockheed Martin calls the “Cyber Kill Chain”; or look for anomalous behavior, just to name a few routine cyber activities. But if we can’t “see” the threats, we can’t respond to them. 

Despite what ironically may seem an overabundance of data, “… no one U.S. Government agency has visibility into all cyberattacks occurring against U.S. critical infrastructure on a daily basis,” a Senate committee wrote in the lead-up to CIRCIA’s passage. No one fully understands the breadth and depth of attacks on our critical infrastructure. 

CIRCIA was signed into law in 2022, requiring “covered entities to report to CISA within certain prescribed timeframes any covered cyber incidents, ransom payments made in response to a ransomware attack, and any substantial new or different information discovered related to a previously submitted report.” The Cybersecurity and Infrastructure Security Agency released a proposed rule for CIRCIA implementation earlier this year, and is seeking comments through July 3 (extended from June 3).

What does the CIRCIA proposed rule cover?

If CIRCIA were to address, say, only the 50 largest companies in the U.S., then we would have even less visibility into the cyber risk to the rest of the U.S. infrastructure, like the small and medium-sized businesses that make up so much of our economy, or the 3,031 county governments, 19,491 incorporated city or municipal governments, or the 16,214 townships in the U.S. (per U.S. Census Bureau data) that may be unprepared for modern day cyber-attacks. Instead, CIRCIA is designed to address cybersecurity transparency for the 16 sectors of critical infrastructure identified by CISA. “CIRCIA’s legislative history indicates that the primary purpose of CIRCIA is to help preserve national security, economic security, and public health and safety,” the proposed rule states.

Implementation of these CIRCIA requirements would introduce a tremendous amount of insight and understanding that we lack today. Are those “billions in losses” correct? Are organizations meeting the basics of cybersecurity? What are the basics? Is there really a cyber skill shortage, or is it a result of the refusal to properly compensate existing professionals, as some have claimed? The CIRCIA rules would launch the collection of a comprehensive set of data, unlike anything we have today, to look for accurate answers. The scope of the rule will be far-reaching; CISA estimates that 316,244 entities will be affected. 

The proposed rule includes clarification that cyber also encompasses operating technology (OT) environments: “… an explicit acknowledgment that OT is included within the definition of information system.” OT includes all those sensors, valves, and switches used for everything from measuring the flow of water to the temperature of food, to the thickness of steel or the speed of a cutting tool. The OT ecosystem is made up of the billions of devices used by organizations to make, monitor, and measure the industrial processes that support manufacturing, mining, shipping, and transportation. It is so large that it has been termed the “industrial internet of things,” or IIOT, and when these sensors talk to the internet, they are a target of cyber intruders at the nation-state adversary level. 

But the controllers that manage industrial production are often overlooked for cybersecurity protection because they are considered “part of the production process,” the responsibility of line engineers, and often exempt from the cyber policies that cover the rest of the network. CISA agrees that this oversight is harmful, so the agency has proposed to include these production controllers in their reporting requirements. 

In CIRCIA, CISA is also proposing a definition of “personal information” that is broader and different than the approach taken by the Cybersecurity Information Sharing Act of 2015. The rule also broadly defines “entity” by saying the nomenclature or organizational structure does not matter “as long as it is a structure that imports legal presence or standing in the United States.”

What will CIRCIA require to be reported?

According to CISA, the reporting process overview is:

“First, CIRCIA requires a covered entity that experiences a covered cyber incident to report that incident to CISA.” This adds to the disclosure burden already imposed by numerous regulators.

“Second, CIRCIA requires a covered entity that makes a ransom payment as the result of a ransomware attack against the covered entity to report that payment to CISA,” which will need to be aligned with other disclosure requirements, such as those to the SEC.

“Third, CIRCIA requires that, until a covered entity notifies CISA that the covered cyber incident in question has concluded and been fully mitigated and resolved, a covered entity must submit an update or supplement to a previously submitted report on a covered cyber incident if substantial new or different information becomes available,” elongating and complicating the incident reporting process.

“Finally, CIRCIA requires that a covered entity submit an update or supplement to a previously submitted report on a covered cyber incident if the covered entity makes a ransom payment after submitting a Covered Cyber Incident Report.”

In short, organizations will be required to continually report until cyber incidents are fully mitigated and resolved. It is not uncommon for this period to be a year or longer. Any ransom payments made by the organization or a third party must be reported even if the cyber-attack that caused the payment wasn’t a covered event. 

How else will the proposed rule affect your organization? 

• To meet the anticipated reporting requirements, you will need to have mapped all of the data in the organization. 
• While the proposed rule doesn’t explicitly call out log retention requirements, you should prepare to be able to report relevant log activity over the entire incident timeline. This implies that log retention must be for two to three years minimum, given the duration of an average cyber incident. 
• It also sets the foundation for future regulation that will require a minimum level of cyber maturity for all organizations. The proposed rule calls for the preservation of evidence – think eDiscovery requirements – for your indicators of compromise or malware, along with relevant supporting data. Don’t forget that all this will apply to your OT environment, not just your IT environment.

In conclusion

CIRCIA will likely bring a lot of positives in terms of cyber intelligence – improved understanding of threats, tactics, and procedures used by threat actors. Collecting data and performing analysis will allow for a more nuanced and factual understanding of the threats every organization faces. CIRCIA will also require reporting entities to meet the new disclosure requirements outlined above. That means having protection and detection capabilities in place or solving your own cybersecurity data visibility challenge. 

CohnReznick has been helping organizations of all sizes, complexities, and states of cyber maturity solve their cyber visibility challenges. We have experience helping clients solve national defense issues; helping startups facing cyber expectations for the first time; and helping those who have a legacy environment that is challenged by today’s threats. Reach out to discuss how we can help you improve your cybersecurity vision.