What’s Behind CISA’s Push for Private Sector Collaboration on CIRCIA Reporting Rules?

Back in May 2021, the notorious Colonial Pipeline hack disrupted fuel supply for several days, causing widespread gas shortages and price hikes across the East Coast of the US.¹ The attack, despite being one of the largest and most disruptive in U.S. history, was just one of the many high-profile cyber incidents that hit the country’s critical infrastructure sectors during that period. In the wake of such high-impact critical infrastructure attacks, Congress enacted CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) in March 2022, mandating CISA to develop and issue specific rules and requirements for CIRCIA.²

CISA published the NPRM (Notice of Proposed Rulemaking) for CIRCIA on April 4, 2024, officially opening a 60-day public comment period which was supposed to end on June 3, 2024. However, recognizing the complexity of the issue and the need for a thorough review, CISA recently extended the deadline to July 3, 2024.³ It is now trying to actively engage the private sector to ensure all stakeholders have sufficient opportunity to provide their feedback and contribute to the development and enforcement of the final rule.

CIRCIA Explained

CIRCIA mandates critical infrastructure organizations operating in any of the 16 critical infrastructure sectors, including energy, healthcare, finance, and transportation, to report cyber incidents and ransomware payments to the CISA within specific timeframes. The goal is to enhance the resilience and security of the nation’s critical infrastructure by ensuring timely sharing of cyber incidents.

CISA’s draft rules extend CIRCIA’s coverage to all private and public entities except small businesses as defined by the U.S. Small Business Administration.⁴ Still, small organizations that are high-risk, like critical access hospitals and small power generation companies, are also subject to the reporting requirements. Covered incidents include incidents that cause substantial harm or pose a significant threat to organizational operations, national security, public health, or safety. As such, any incidents that result in loss of confidentiality, disruption in business processes, unauthorized access, denial of service, supply chain compromise, or ransomware payments must be reported under the CIRCIA mandate.

What are CISA’s CIRCIA Reporting Rules?

CIRCIA requires covered organizations to report covered cyber incidents within 72 hours from the time they reasonably believe the incident occurred. It also requires them to report any ransomware payments within 24 hours of making the payment.⁵ The goal is to track the flow of ransomware payments and understand attacker behavior.

In-depth and timely reporting will provide CISA with valuable data on cyber incidents across critical infrastructure sectors, allowing them to identify trends, patterns, and emerging threats. It will also allow CISA to deploy resources and assistance to victims of cyberattacks more quickly. Most importantly, these reports will enrich shared threat intelligence, enabling better collaboration and proactive warnings for other potential victims.

What to Expect When the CIRCIA Comes into Effect

The final regulations outlining the specifics of CIRCIA reporting are still under development by CISA. Once the public comment period is over on July 3, 2024, CISA is expected to publish the final rule sometime after September 2025. But the legislation may take effect after 60 days, potentially pushing the date of enforcement to 2026.

The implementation of CIRCIA will significantly impact various stakeholders, including private sector businesses, government agencies, and the overall cybersecurity landscape. CISA itself is expected to receive, anonymize, and analyze up to 210,525 CIRCIA reports by 2030.⁶ Therefore, it must also establish processes and ramp-up capabilities for extracting and sharing useful insights with other stakeholders and potential victims.

Challenges in CIRCIA Implementation

Despite its potential to foster robust cybersecurity defenses at the national level, CIRCIA may introduce several challenges, particularly for private sector businesses and companies:

• Reporting complexity: Reports under CIRCIA must be comprehensive and require detailed information about covered incidents. Compiling such reports can be too complex and time-consuming for many organizations with limited cybersecurity resources.
• Multiple reporting requirements: CIRCIA is not the only cyber incident reporting regime. Existing federal and state regulations, along with contractual obligations, can create a potentially duplicative reporting landscape. This adds to the burden and can be confusing for businesses to comply with.
• Reputational Risks: Reporting cyber incidents can bring victim organizations to public attention, potentially damaging their reputation. Reporting entities may face negative media coverage, competitive disadvantage, loss of customer trust, and decreased investor confidence.
• Delayed incident response: Cybersecurity teams are often already stretched thin, and the time and resources spent on reporting may take their focus and resources away from critical efforts to contain and mitigate the actual incident.
• Cybersecurity risks: Detailed disclosures of incidents can inadvertently provide attackers with valuable insights for future exploits. These reports can divulge information about attacked systems, networks, and technologies, helping attackers understand the reporting organization’s security posture, identify potential weaknesses, and execute exploits before the organization has had a chance to patch.

Addressing the Challenges in Implementing CIRCIA

CISA is committed to working with other agencies to explore options for minimizing duplication and streamlining the reporting process across different regulations. It also aims to provide clear and accessible guidance on the reporting requirements and procedures that can help businesses understand their obligations and navigate the process more efficiently.

However, businesses themselves will have to take certain initiatives to mitigate the challenges and ensure compliance:

• Recordkeeping: Organizations will have to maintain detailed records for all security incident investigations.
• Incident response planning: They will need to invest in robust incident detection and response procedures. They’ll have to revise their incident response playbooks to prioritize and expedite detailed disclosures and clearly establish executive roles and responsibilities.
• Staff training: Covered organizations will have to train staff on CIRCIA requirements and reporting procedures. They’ll also have to focus on conducting tabletop exercises to ensure that their staff is adept at following the procedures and takes adequate caution in internal communications to avoid legal risks.
• Cybersecurity investments: The public attention from CIRCIA reporting will make the stakes all the higher for organizations, prompting them to increase their investments in proactive security measures.

Navigating the Ever-Stringent Regulatory Landscape with BreachLock

BreachLock offers a comprehensive suite of Continuous Attack Surface Discovery & Penetration Testing solutions and services that can help organizations navigate the post-CIRCIA landscape seamlessly and confidently. BreachLock ASM (Attack Surface Management) provides a complete view of an organization’s entire attack surface, including both internal and external assets, allowing for the identification and prioritization of any existing vulnerabilities based on their potential impact and likelihood of exploitation. This critical prioritization can serve as a starting point for continuous pentesting efforts and human-led penetration testing-as-a-service ( PTaaS) and red teaming-as-a-service ( RTaaS) to conduct simulated real-world attacks and exploit identified vulnerabilities to determine the best remediation approach.

With BreachLock, organizations can conduct security testing across their attack surface to significantly strengthen their cybersecurity posture and ensure seamless compliance with existing and upcoming regulations like CIRCIA.

Learn how BreachLock can help you prepare for the new CIRCIA rules. Schedule your free discovery call with BreachLock today!

About BreachLock:

BreachLock is a global leader in Continuous Attack Surface Discovery and Penetration Testing. Continuously discover, prioritize, and mitigate exposures with evidence-backed Attack Surface Management, Penetration Testing, and Red Teaming.

Elevate your defense strategy with an attacker’s view that goes beyond common vulnerabilities and exposures. Each risk we uncover is backed by validated evidence. We test your entire attack surface and help you mitigate your next cyber breach before it occurs.

Know your risk. Contact BreachLock today!

References:

• https://www.techtarget.com/whatis/feature/Colonial-Pipeline-hack-explained-Everything-you-need-to-know
• https://www.federalregister.gov/documents/2024/04/04/2024-06526/cyber-incident-reporting-for-critical-infrastructure-act-circia-reporting-requirements
• https://www.cisa.gov/sites/default/files/publications/2024-04/CIRCIA-NPRM.pdf
• https://www.sba.gov/document/support–table-size-standards
• https://www.cisa.gov/circ-ia-rulemaking-process
• https://www.cisa.gov/sites/default/files/publications/CIRCIA-Implementation-Plan.pdf