The increasing frequency and severity of cyberattacks have made cybersecurity a top priority for businesses and governments. In response to this growing threat, the US government has enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This legislation requires organizations within critical infrastructure sectors to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and aims to improve collaboration between the public and private sectors in addressing cybersecurity threats. This article provides an overview of CIRCIA, the Ransomware Vulnerability Warning Pilot, required reporting, and measures businesses can take to protect against cyberattacks.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)
CIRCIA is a US law enacted in 2022 that requires organizations within industries deemed critical to national interests to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA). The law aims to improve cybersecurity by providing the government with greater visibility into the current threats facing critical infrastructure and enabling rapid response to mitigate the impact of these incidents. By requiring companies to report cyberattacks, CIRCIA seeks to increase collaboration between the private sector and the government, enhancing the nation’s overall cybersecurity efforts.
CIRCIA has several key objectives, including:
1. Enhancing the government’s understanding of cyber threats: By requiring businesses to report cyber incidents, the government can gain valuable insights into the types of attacks affecting critical infrastructure and identify trends and patterns that can inform policy decisions and response strategies.
2. Facilitating rapid response and assistance: Timely reporting of cyber incidents enables CISA and other government agencies to quickly deploy resources and assist affected businesses, potentially reducing the impact of the attack.
3. Encouraging information sharing and collaboration: The law aims to foster greater cooperation between the public and private sectors in addressing cybersecurity threats, ultimately helping to build a more resilient and secure digital ecosystem.
Which businesses and industries are required to report cyber incidents under CIRCIA?
CIRCIA applies to “covered entities,” which are organizations operating in one of the 16 critical infrastructure sectors designated by Presidential Policy Directive 21 (PPD-21). These sectors include:
2. Commercial Facilities
4. Critical Manufacturing
6. Defense Industrial Base
7. Emergency Services
9. Financial Services
10. Food and Agriculture
11. Government Facilities
12. Healthcare and Public Health
13. Information Technology
14. Nuclear Reactors, Materials, and Waste
15. Transportation Systems
16. Water and Wastewater Systems
Organizations within these sectors are considered critical to the United States, and their incapacitation or destruction would have a debilitating effect on national security, economic security, public health, or safety.
Types of Cyber Incidents to be Reported Under CIRCIA
Under CIRCIA, covered entities are required to report two main types of cyber incidents:
1. Covered cyber incidents: These are significant cyberattacks that have the potential to cause substantial harm to the affected business or have a broader impact on national security, economic stability, or public health and safety. Businesses must report these incidents to CISA within 72 hours of reasonably believing that the incident occurred.
2. Ransomware payments: Companies must report any ransom payments made due to a ransomware attack to CISA within 24 hours of making the payment.
How do businesses report cyber incidents to CISA?
While the final rule implementing CIRCIA’s reporting requirements is yet to be released, CISA currently encourages organizations to voluntarily share information about cyber incidents through email at firstname.lastname@example.org or by calling (888) 282-0870. Once the final rule is established, covered entities will be required to follow the specified reporting procedures within the stipulated timeframes.
The Ransomware Vulnerability Warning Pilot
To help mitigate the threat of ransomware attacks, CISA launched the Ransomware Vulnerability Warning Pilot (RVWP) on January 30, 2023. This program, required under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, aims to identify and notify critical infrastructure entities of vulnerabilities that bad actors could exploit.
The RVWP uses existing authorities and technology to proactively identify information systems containing security vulnerabilities commonly associated with ransomware attacks. Once these systems have been identified, CISA’s regional cybersecurity personnel notify the system owners, providing them with the information and guidance necessary to address the vulnerabilities.
Notifying Businesses of Vulnerabilities
If your organization receives a notification from CISA, it is essential to understand that this does not necessarily mean your system has been compromised. Instead, it indicates that your system has been identified as vulnerable and requires immediate remediation. The notification will typically include essential details about the vulnerable system, such as the manufacturer and model, the IP address, the method used to detect the vulnerability, and guidance on addressing the issue.
CISA regional staff members will make notifications either by phone call or email. If you are uncertain about the identity of the CISA personnel contacting you, you can verify their legitimacy through CISA Central by emailing Central@cisa.gov or calling (888) 282-0870.
Compliance and Additional Services
It is important to note that businesses are not required to comply with or implement any of CISA’s recommended actions. However, given the potential risks associated with ransomware attacks, it is in the best interest of organizations to take these recommendations seriously and act accordingly.
CISA offers multiple no-cost resources and tools to help businesses strengthen their cybersecurity posture. Organizations should sign up for CISA’s Cyber Hygiene Vulnerability Scanning, undertake a self-assessment to determine progress in implementing the Cybersecurity Performance Goals, and build a relationship with a regional CISA cybersecurity advisor to participate in additional applicable services or capabilities.
What other measures can businesses take to protect themselves against cyberattacks and strengthen their defenses?
While the threat of cyberattacks is ever-present, businesses can take several steps to protect themselves and strengthen their defenses:
Implement robust cybersecurity policies and procedures. This includes establishing a comprehensive cybersecurity program, conducting regular risk assessments, and providing ongoing cybersecurity training for employees.
Use antivirus software. Antivirus software can help protect systems against hackers, data thieves, and other cyber threats while blocking spam and unwanted advertisements.
Employ password managers. Password managers can help securely store and manage passwords, reducing the risk of unauthorized access by cybercriminals who exploit weak passwords to infiltrate systems.
Keep software and systems up-to-date. Regularly updating software and systems can help patch known vulnerabilities and minimize the risk of cyberattacks.
Develop an incident response plan. A well-defined incident response plan can help businesses quickly respond to and mitigate the impact of a cyber incident.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 and the Ransomware Vulnerability Warning Pilot are crucial to enhancing the nation’s cybersecurity efforts. Businesses operating within critical infrastructure sectors should comply with the reporting requirements and take proactive measures to protect themselves against cyberattacks. We understand the importance of cybersecurity and offer expert advisory services to help businesses navigate these evolving threats. We encourage you to contact us if you have any questions or want to discuss cybersecurity strategies to safeguard your operations.