CISA Issues Notice of Proposed Rulemaking for Critical Infrastructure Cybersecurity Incident Reporting Inside Privacy

pUpdates on developments in data privacy and cybersecurityppOn March 27 2024 the US Cybersecurity and Infrastructure Security Agencys CISA Notice of Proposed Rulemaking Proposed Rule related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 CIRCIA was released on the Federal Register website  The Proposed Rule which will be formally published in the Federal Register on April 4 2024 proposes draft regulations to implement the incident reporting requirements for critical infrastructure entities from CIRCIA which President Biden signed into law in March 2022  CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities a 24hour requirement to report ransomware payments and a 72hour requirement to report covered cyber incidents to CISA  While the overarching requirements and structure of the reporting process were established under the law CIRCIA also directed CISA to issue the Proposed Rule within 24 months of the laws enactment to provide further detail on the scope and implementation of these requirements  Under CIRCIA the final rule must be published by September 2025ppThe Proposed Rule addresses various elements of CIRCIA which will be covered in a forthcoming Client Alert  This blog post focuses primarily on the proposed definitions of two pivotal terms that were left to further rulemaking under CIRCIA Covered Entity and Covered Cyber Incident which illustrate the broad scope of CIRCIAs reporting requirements as well as certain proposed exceptions to the reporting requirements  The Proposed Rule will be subject to a review and comment period for 60 days after publication in the Federal Register ppCovered EntitiesppCIRCIA broadly defined Covered Entity to include entities that are in one of the 16 critical infrastructure sectors established under Presidential Policy Directive 21 PPD21 and directed CISA to develop a more comprehensive definition in subsequent rulemaking  Accordingly the Proposed Rule 1 addresses how to determine whether an entity is in one of the 16 sectors and 2 proposed two additional criteria for the Covered Entity definition either of which must be met in order for an entity to be covered  Notably the Proposed Rules definition of Covered Entity would encompass the entire corporate entity even if only a constituent part of its business or operations meets the criteria  Thus Covered Cyber Incidents experienced by a Covered Entity would be reportable regardless of which part of the organization suffered the impact  In total CISA estimates that over 300000 entities would be covered by the Proposed RuleppDecision tree that demonstrates the overarching elements of the Covered Entity definition For illustrative purposes onlypp16 Critical Infrastructure Sectors  Consistent with CIRCIA the proposed regulatory text of the Covered Entity definition includes that entities must be in a critical infrastructure sector but the text does not define this term or describe how to determine which entities are within those sectors  However the commentary in the Proposed Rule states that this threshold question is effectively tied to the sector descriptions in the critical infrastructure SectorSpecific Plans SSPs that were developed pursuant to PPD21  Thus entities can rely on the SSPs to determine if they are in a sector  Notably the scope of the SSPs is not limited to owners and operators of critical infrastructure systems and assets  Accordingly the Proposed Rule indicates that reporting requirements would also apply to a small subset of entities covered in the SSPs that are active participants in a particular sector and that can impact the security of critical infrastructureppAdditional Criteria  The Proposed Rule then outlines two additional scoping criteria for the definition of Covered Entity 1 the size of an entity and 2 whether the entity meets certain sectorbased criteria  A critical infrastructure entity that falls within one of the 16 sectors described above need only fall within one of these categories to be a Covered Entity  ppThe Proposed Rule does not include any separate sectorbased criteria for the Commercial Facilities Sector the Dams Sector or the Food and Agriculture Sector and would instead rely on the sizebased or overlapping sectorbased criteria to determine which entities in these sectors qualify as Covered EntitiesppCovered Cyber Incidents and Ransomware AttacksppCIRCIA requires that Covered Entities report to CISA 1 any Covered Cyber Incident within 72 hours and 2 any Ransomware Attack that results in a ransom payment within 24 hours  CIRCIA also requires Covered Entities to promptly submit certain supplemental reports providing updated or additional information about the incident following the initial submission  While CIRCIA included specific definitions for Ransomware Attack and Ransom Payment which the Proposed Rule largely aligns with CIRCIA directed CISA to provide a definition with more detailed criteria for a Covered Cyber Incident as part of the rulemaking processppThe Proposed Rule would define a Covered Cyber Incident to include two subsidiary definitions a Cyber Incident and a Substantial Cyber Incident  First the Proposed Rule provides a definition for the term Cyber Incidentthat is an occurrence that actually jeopardizes without lawful authority the integrity confidentiality or availability of information on an information system or actually jeopardizes without lawful authority an information system  A Cyber Incident that then meets certain impactbased criteria would be considered a Substantial Cyber Incident  Finally a Covered Cyber Incident would be defined as any Substantial Cyber Incident experienced by a Covered EntityppThe Proposed Rule states that a Cyber Incident must meet certain impactbased criteria in order to be a Substantial Cyber Incident  There are four such criteria and an incident needs to meet only one of the four criteria to constitute a Substantial Cyber IncidentppCISA states in the Proposed Rule that it interprets CIRCIA to limit the fourth criterion to unauthorized access that is achieved by the enumerated causes set forth in CIRCIAs original statutory text eg compromise of a CSP or supply chain compromise  To avoid ambiguity the Proposed Rule includes a statement that a Cyber Incident that impacts a Covered Entity and results in any of the impacts identified in the first three criteria is a Substantial Cyber Incident regardless of what caused the incident  In other words the first three criteria are not limited by the source of a compromise eg thirdparty compromise or a particular attack vector eg exploitation of a zeroday ppExceptionsppThe Proposed Rule includes three exceptions to reporting requirements  First Covered Entities are not required to report to CISA if the entity provides a legally required incident report to another federal agency that contains substantially similar information is provided in a substantially similar timeframe and can be shared within that timeframe under an information sharing agreement between CISA and the federal agency  Second the Proposed Rule exempts critical infrastructure owned operated or governed by multistakeholder organizations that develop implement and enforce policies concerning the Domain Name System  Third federal agencies required by the Federal Information Security Modernization Act to report incidents to CISA are exempt from reporting those incidents under CIRCIAppOther MattersppThe Proposed Rule addresses various other aspects of CIRCIA including incident reporting content requirements and mechanisms data and records preservation requirements enforcement mechanisms and additional definitions eg CSP and Information System  These and other matters will be addressed in further detail in the forthcoming client alertppAshden Fein advises clients on cybersecurity and national security matters including crisis management and incident response risk management and governance government and internal investigations and regulatory complianceppFor cybersecurity matters Mr Fein counsels clients on preparing for and responding to cyberbased attacks assessingppAshden Fein advises clients on cybersecurity and national security matters including crisis management and incident response risk management and governance government and internal investigations and regulatory complianceppFor cybersecurity matters Mr Fein counsels clients on preparing for and responding to cyberbased attacks assessing security controls and practices for the protection of data and systems developing and implementing cybersecurity risk management and governance programs and complying with federal and state regulatory requirements Mr Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents including data breaches involving personal data advanced persistent threats targeting intellectual property across industries statesponsored theft of sensitive US government information and destructive attacksppAdditionally Mr Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the US national security He also advises aerospace defense and intelligence contractors on security compliance under US national security laws and regulations including among others the National Industrial Security Program NISPOM US government cybersecurity regulations and requirements related to supply chain securityppBefore joining Covington Mr Fein served on active duty in the US Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions to include serving as the lead trial lawyer in the prosecution of Private Chelsea Bradley Manning for the unlawful disclosure of classified information to WikileaksppMr Fein currently serves as a Judge Advocate in the US Army ReserveppMicaela McMurrough has represented clients in highstakes antitrust patent trade secrets contract and securities litigation and other complex commercial litigation matters and serves as cochair of Covingtons global and multidisciplinary Internet of Things IoT group She also represents and advises domestic and internationalppMicaela McMurrough has represented clients in highstakes antitrust patent trade secrets contract and securities litigation and other complex commercial litigation matters and serves as cochair of Covingtons global and multidisciplinary Internet of Things IoT group She also represents and advises domestic and international clients on cybersecurity and data privacy issues including cybersecurity investigations and cyber incident response Micaela has advised clients on data breaches and other network intrusions conducted cybersecurity investigations and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international lawppIn 2016 Micaela was selected as one of thirteen Madison Policy Forum MilitaryBusiness Cybersecurity Fellows She regularly engages with government military and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges Micaela previously served as a United States Presidential Leadership Scholar principally responsible for launching a program to familiarize federal judges with various aspects of the US national security structure and national intelligence communityppPrior to her legal career Micaela served in the Military Intelligence Branch of the United States Army She served as Intelligence Officer of a 1200member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze StarppCaleb Skeath advises clients on a broad range of cybersecurity and privacy issues including cybersecurity incident response cybersecurity and privacy compliance obligations internal investigations regulatory inquiries and defending against classaction litigation Caleb holds a Certified Information Systems Security Professional CISSP certificationppCaleb specializesppCaleb Skeath advises clients on a broad range of cybersecurity and privacy issues including cybersecurity incident response cybersecurity and privacy compliance obligations internal investigations regulatory inquiries and defending against classaction litigation Caleb holds a Certified Information Systems Security Professional CISSP certificationppCaleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware Such assistance may include protecting the response to and investigation of an incident under the attorneyclient privilege supervising response or investigation activities and interfacing with IT or information security personnel and advising on engagement with internal stakeholders vendors and other third parties to maximize privilege protections including the negotiation of appropriate contractual terms Caleb has also advised numerous clients on assessing postincident notification obligations under applicable state and federal law developing communications strategies for internal and external stakeholders and assessing and protecting against potential litigation or regulatory risk following an incident In addition he has advised several clients on responding to postincident regulatory inquiries including inquiries from the Federal Trade Commission and state Attorneys GeneralppIn addition to advising clients following cybersecurity incidents Caleb also assists clients with preincident cybersecurity compliance and preparation activities He reviews and drafts cybersecurity policies and procedures on behalf of clients including drafting incident response plans and advising on training and tabletop exercises for such plans Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices including reasonable security practicesppCaleb also maintains an active privacy practice focusing on advising technology education financial and other clients on compliance with generally applicable and sectorspecific federal and state privacy laws including FERPA FCRA GLBA TCPA and COPPA He has assisted clients in drafting and reviewing privacy policies and terms of service designing products and services to comply with applicable privacy laws while maximizing utility and user experience and drafting and reviewing contracts or other agreements for potential privacy issuesppBob Huffman represents defense health care and other companies in contract matters and in disputes with the federal government and other contractors He focuses his practice on False Claims Act qui tam investigations and litigation cybersecurity and supply chain security counseling and complianceppBob Huffman represents defense health care and other companies in contract matters and in disputes with the federal government and other contractors He focuses his practice on False Claims Act qui tam investigations and litigation cybersecurity and supply chain security counseling and compliance contract claims and disputes and intellectual property IP matters related to US government contractsppBob has leading expertise advising companies that are defending against investigations prosecutions and civil suits alleging procurement fraud and false claims He has represented clients in more than a dozen False Claims Act qui tam suits He also represents clients in connection with parallel criminal proceedings and suspension and debarmentppBob also regularly counsels clients on government contracting supply chain compliance issues including cybersecurity the Buy American ActTrade Agreements Act BAATAA and counterfeit parts requirements He also has extensive experience litigating contract and related issues before the Court of Federal Claims the Armed Services Board of Contract Appeals federal district courts the Federal Circuit and other federal appellate courtsppIn addition Bob advises government contractors on rules relating to IP including government patent rights technical data rights rights in computer software and the rules applicable to IP in the acquisition of commercial items and services He handles IP matters involving government contracts grants Cooperative Research and Development Agreements CRADAs and Other Transaction Agreements OTAsppMs Cassidy represents clients in the defense intelligence and information technologies sectors  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components  Ms Cassidy conducts internal investigations for governmentppMs Cassidy represents clients in the defense intelligence and information technologies sectors  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components  Ms Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency DCAA Inspectors General IG and the Department of Justice with regard to those investigations  From 2008 to 2012 Ms Cassidy served as inhouse counsel at Northrop Grumman Corporation one of the worlds largest defense contractors supporting both defense and intelligence programs Previously Ms Cassidy held an inhouse position with Motorola Inc leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies Prior to going inhouse Ms Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington DCppWeb Leslie represents and advises emerging and leading companies on a broad array of technology issues including on cybersecurity national security investigations and data privacy matters
Web provides strategic advice and counsel on cybersecurity preparedness data breach crossborder privacy law and government investigationsppWeb Leslie represents and advises emerging and leading companies on a broad array of technology issues including on cybersecurity national security investigations and data privacy matters
Web provides strategic advice and counsel on cybersecurity preparedness data breach crossborder privacy law and government investigations and helps clients navigate complex policy matters related to cybersecurity and national securityppIn addition to his regular practice Web also counsels pro bono clients on technology immigration and criminal law matters including representing a client sentenced to life without parole by a nonunanimous jury in LouisianappWeb previously served in government in various roles at the Department of Homeland Security including at the Cybersecurity and Infrastructure Security Agency CISA where he specialized in cybersecurity policy publicprivate partnerships and interagency cyber operations He also served as Special Assistant to the Secretary of Homeland SecurityppShayan Karbassi is an associate in the firms Washington DC office He is a member of the firms Data Privacy and Cybersecurity and White Collar and Investigations Practice Groups Shayan advises clients on a range of cybersecurity and national security matters He alsoppShayan Karbassi is an associate in the firms Washington DC office He is a member of the firms Data Privacy and Cybersecurity and White Collar and Investigations Practice Groups Shayan advises clients on a range of cybersecurity and national security matters He also maintains an active pro bono practiceppppAttorney AdvertisingppRepeatedly ranked as having one of the best privacy practices in the world Covington combines exceptional substantive expertise with an unrivaled understanding of the IT industry and of ecommerce and digital media business models in particularp