CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act | Inside Privacy

CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act
By Jim Garland, Micaela McMurrough, Ashden Fein, Caleb Skeath & Matthew Harden on September 23, 2022
POSTED IN CYBERSECURITY, CYBERSECURITY, DATA SECURITY, PRIVACY AND DATA SECURITY, TECHNOLOGY
On September 12, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a Request for Information, seeking public comment on how to structure implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). Written comments are requested on or before November 14, 2022 and may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.

Overview of CIRCIA. CIRCIA was signed into law on March 15, 2022 and establishes two cyber incident reporting requirements for covered critical infrastructure entities:

A 24-hour requirement to report any ransomware payments to CISA; and
A 72-hour requirement to report all covered cyber incidents to CISA.
These requirements will take effect upon the issuance of implementing regulations from the Director of CISA. The Act directs CISA to issue a Notice of Proposed Rulemaking (“NPRM”) within 24 months of the date of enactment to implement the Act’s requirements, and to issue a final rule within 18 months of issuing the NPRM.

Request for Information. CISA is seeking public comment through its Request for Information on potential aspects of the proposed regulation prior to publication of the NPRM. According to the Request for Information, CISA is particularly interested in public input regarding:

Definitions, criteria, and the scope of regulatory coverage, including the scope of covered entities and covered incidents;
Report contents and submission procedures, including when timing requirements for various reporting requirements will begin to run;
Other incident reporting requirements and security vulnerability information sharing; and
Additional policies, procedures, and requirements.
Looking Ahead. As noted, written comments are requested on or before November 14, 2022. Submissions received after that date may not be considered. Comments may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.

CISA will also be hosting public listening sessions throughout the comment period as an additional means for interested parties to provide input.