The Cybersecurity and Infrastructure Security Agency (CISA) has released draft guidelines that require organizations that suffer a security incident or make a ransomware payment to report that incident or payment to CISA.
The draft document describing these requirements is very long, but the gist is that entities covered by the requirement have to file a report to CISA within 72 hours after becoming aware that a security incident has occurred, or within 24 hours after making a ransomware payment.
Federal agencies and public and private companies in multiple sectors are covered by the requirements. These sectors include energy, telecom, finance, healthcare, defense, IT, and others.
I spent multiple hours going through the document and I’m sharing highlights here. CISA is currently seeking public comments (through June 3, 2024) on the proposed rules and how those rules will be implemented.
Here’s what I took from the proposal. (And if you want more, Jennifer Minella and I did a Packet Protector episode on the topic.)
Which Organizations Are Required To Report?
CISA estimates that more than 350,000 entities in the US will fall under the reporting requirement, so there’s a good chance this will impact you.
CISA uses multiple criteria to determine which entities are covered, including industry sector. The report lays out the covered entities by the following sectors:
- Chemical
- Telecommunications
- Defense industrial base
- Energy
- Financial services
- Government facilities
- Healthcare and public health
- Information Technology, including providers of OT hardware and software
- Nuclear reactors, material, and waste
- Transportation
- Water and wastewater systems
Entity size will also determine if you have to report. CISA says small businesses will be exempt, but to my reading it wasn’t entirely clear where the cutoff is for a small business. Likely any organization with more than 1,500 employees will be required to report a security incident.
Note that either of these criteria can be applied. For example, a large grocery chain doesn’t fall under the sector criteria, but depending on the number of employees it has, it could fall under the size criteria.
What Kinds Of Incidents Have To Be Reported?
The draft proposal takes pains to describe what constitutes an incident to be reported. Of course, it’s difficult to precisely define a security incident. Organizations may grapple with the question of whether an incident rises to the level intended by the rules. The proposal lays out the following guidelines:
A security incident means:
(a) a substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network;
(b) a serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
(c) a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services; or
(d) unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.
The proposal also provided more concrete examples:
- A DDoS attack that renders a covered entity’s service unavailable for an extended period of time
- A ransomware attack that encrypts a core business or information system
- Persistent access by an unauthorized third party to information systems
- Time-limited access to high-value information systems such as a domain controller or privileged credentials
- Large-scale data breach or exfiltration
- An attack that increases the potential for release of hazardous materials
- Disruption to emergency alerts or 911 systems
As you can see from these examples, language such as “an extended period of time” or “large-scale breach” still leaves room for questions. One hopes CISA will provide more specific guidance when the final rules are released.
What Should The Report Include?
The short answer is that CISA wants as much information as possible. It specifically calls out the following:
- Identify and describe affected information systems, networks, or devices
- A description of the incident
- Estimated date range of the incident
- The incident’s impact on operations (i.e. was data stolen, systems destroyed, etc.)
- A description of the vulnerabilities exploited
- The tactics, techniques, and procedures used by the perpetrators
- What controls or frameworks where in place, and whether those controls were operating, and how they failed
- A description or copy/sample of any malicious software connected with the incident
- Applicable logs
- Your mitigation and response efforts
This is a substantial amount of information to know and deliver, particularly within the 72-hour window mandated by the rule. In the first 72 hours, organizations are likely to be caught up in investigation, response, and mitigation.
To that end, CISA makes provisions for filing incomplete reports. Given the tight timeline, some questions can be answered by “Unknown at this time.” However, CISA also proposes that covered entities must, in a timely manner, file supplemental reports as they gather more details about the incident.
Note that CISA will also impose a data retention requirement for information related to reported incidents. The current draft proposes a two-year retention of relevant information.
How Do You Report?
The proposal considers multiple options, but the most likely method will be a web form that CISA will produce and operate.
Why Is CISA Doing This?
1. It’s the law. CISA is responding to a requirement from the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), a law passed by Congress in 2022, that requires “covered entities” to report “covered cyber incidents” to CISA.
2. To enhance the country’s cyber resiliency. By collecting incident information in a uniform and timely manner, CISA aims to have better visibility into the threat landscape and to track attacker trends against both federal agencies and private entities in the United States. At present, reporting requirements exist for individual sectors or industries, but there is no official mechanism to collect and analyze threat information for the nation as a whole.
CISA says it intends to share information among the covered entities to help those entities bolster their own defenses, and provide insights about what measures have proven effective at preventing or limiting the consequences of an incident.
What Happens If You Don’t Comply
If you’re covered under these requirements and don’t report an incident, CISA has proposed mechanisms to get that information, including:
- Request for Information (RFI)
- A subpoena
- A referral to the US Attorney General for a civil action to enforce a subpoena
- Acquisition, suspension, and debarment enforcement procedures (i.e you can’t be a federal contractor any more)
If you make false statements, you may be referred to the Department of Justice and subject to fines and up to 5 years in prison.
What Happens Next?
As mentioned, CISA has released the proposal for public comment. The public comment period is running from now until June 3, 2024.
CISA anticipates having a final document written by the fall of 2025. The reporting rule is expected to go into effect in early 2026.
