Cyber Laws

Federal Guidelines Have Changed On Cyber Incidents

Federal Guidelines Have Changed On Cyber Incidents

On Tuesday March 15, 2022 President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Act) requiring various sectors report cybersecurity incidents. According to Presidential Policy Directive PPD-21, the following 16 sectors are required to notify the Cybersecurity & Infrastructure Security Agency (CISA) within 72 hours and within 24 hours of making a ransomware payment:

  • Chemical
  • Commercial facilities
  • Communications
  • Critical manufacturing
  • Dams
  • Defense Industrial Base
  • Emergency services
  • Energy
  • Financial services
  • Food and agriculture
  • Government facilities
  • Healthcare and public health
  • Information technology
  • Nuclear reactors, materials, and waste
  • Transportation systems
  • Water and wastewater systems

How Do I Determine What A Cyber Incident Is?

Under Section 2242 Required Reporting of Certain Cyber Incidents it states the following criteria:

“(c) Elements.—The final rule issued pursuant to subsection (b) shall be composed of the following elements:
“(1) A clear description of the types of entities that constitute covered entities, based on—
“(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
“(B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and
“(C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
“(2) A clear description of the types of substantial cyber incidents that constitute covered cyber incidents, which shall—
“(A) at a minimum, require the occurrence of—
“(i) a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
“(ii) a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against
“(I) an information system or network; or
“(II) an operational technology system or process; or
“(iii) unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise;

https://www.congress.gov/bill/117th-congress/senate-bill/3600/text?r=3&s=2#toc-id1E3C7124ACBA4C4986D04F51AD1E8045

Do I Have Time To Prepare?

Yes. The Act will go into effect no later than 24 months after it was passed. Prior to it going into effect the Act must also have a Call for Comments period where the private sector can chime in.

The intention of the Act is in the right place. I am hopeful once CISA allows for comments, the Act will be more defined and provide safe ways to submit findings. Until then CISA has a way to notify them of a cyber incident. Go to: https://us-cert.cisa.gov/forms/report

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *